diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 47675924db..8f774871e7 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -34,7 +34,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash - **Data type:** Integer #### Registry settings diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 187ba67198..186b96bd2c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -19,11 +19,11 @@ ms.date: 12/04/2017 **Applies to:** -- Windows 10 +- Windows 10 (>= v1709) - Windows 8.1 - Windows 7 -Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10 (>= v1709), using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. **Important**
If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index d9bdb48c3a..cc71b5adf8 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -21,9 +21,10 @@ ### [Configure Easy Authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md) ## Deploy -### [Surface Hub 2S adoption toolkit](surface-hub-2s-adoption-kit.md) ### [First time setup for Surface Hub 2S](surface-hub-2s-setup.md) +### [Connect devices to Surface Hub 2S](surface-hub-2s-connect.md) ### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md) +### [Surface Hub 2S adoption toolkit](surface-hub-2s-adoption-kit.md) ### [Create Surface Hub 2S device account](surface-hub-2s-account.md) ### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md) ### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 2075507bd4..6d7d33415f 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -1,101 +1,120 @@ --- -title: Device reset (Surface Hub) -description: You may wish to reset your Microsoft Surface Hub. +title: Reset or recover a Surface Hub +description: Describes the reset and recovery processes for the Surface Hub, and provides instructions. ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF ms.reviewer: manager: dansimp -keywords: reset Surface Hub +keywords: reset Surface Hub, recover ms.prod: surface-hub ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 07/27/2017 +ms.date: 07/31/2019 ms.localizationpriority: medium --- -# Device reset (Surface Hub) +# Reset or recover a Surface Hub +This article describes how to reset or recover a Microsoft Surface Hub. -You may wish to reset your Microsoft Surface Hub. +[Resetting the Surface Hub](#reset-a-surface-hub) returns its operating system to the last cumulative Windows update, and removes all local user files and configuration information. The information that is removed includes the following: -Typical reasons for a reset include: +- The device account +- Account information for the device's local administrators +- Domain-join or Azure AD-join information +- Mobile Device Management (MDM) enrollment information +- Configuration information that was set by using MDM or the Settings app -- The device isn’t running well after installing an update. -- You’re repurposing the device for a new meeting space and want to reconfigure it. -- You want to change how you locally manage the device. +[Recovering a Surface Hub from the cloud](#recover-a-surface-hub-from-the-cloud) also removes this information. In addition, the Surface Hub downloads a new operating system image and installs it. You can specify whether the recovery process preserves other information that is stored on the Surface Hub. -Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including: +## Reset a Surface Hub -- The device account -- MDM enrollment -- Domain join or Azure AD join information -- Local admins on the device -- Configurations from MDM or the Settings app +You may have to reset your Surface Hub for reasons such as the following: -> [!IMPORTANT] -> Performing a device reset may take up to 6 hours. Do not turn off or unplug the Surface Hub until the process has completed. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality. +- You are re-purposing the device for a new meeting space and want to reconfigure it. +- You want to change how you locally manage the device. +- The user name or password for the device account or the Administrator account has been lost. +- After you install an update, the performance of the device decreases. -After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. If the Surface Hub displays a Welcome screen, that indicates that the reset encountered a problem and rolled back to the previously existing OS image. +During the reset process, if you see a blank screen for long periods of time, please wait and do not take any action. -If you see a blank screen for long periods of time during the **Reset device** process, please wait and do not take any action. +> [!WARNING] +> The device reset process may take up to six hours. Do not turn off or unplug the Surface Hub until the process has finished. If you interrupt the process, the device becomes inoperable. The device requires warranty service in order to become functional again. - -## Reset a Surface Hub from Settings - -**To reset a Surface Hub** 1. On your Surface Hub, open **Settings**. - ![Image showing Settings app for Surface Hub.](images/sh-settings.png) + ![Image that shows Settings app for Surface Hub.](images/sh-settings.png) -2. Click **Update & Security**. +1. Select **Update & Security**. - ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) + ![Image that shows Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) -3. Click **Recovery**, and then, under **Reset device**, click **Get started**. +1. Select **Recovery**, and then, under **Reset device**, select **Get started**. - ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) + ![Image that shows the Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) + + After the reset process finishes, the Surface Hub starts the [first run program](first-run-program-surface-hub.md) again. If the reset process encounters a problem, it rolls the Surface Hub back to the previously-existing operating system image and then displays the Welcome screen. + ## Recover a Surface Hub from the cloud -In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. +If for some reason the Surface Hub becomes unusable, you can still recover it from the cloud without assistance from Microsoft Support. The Surface Hub can download a fresh operating system image from the cloud, and use that image to reinstall its operating system. ->[!NOTE] ->The **Recover from the cloud** process requires an open internet connection (no proxy, or other authentications). An ethernet connection is recommended. +You may have to use this type of recovery process under the following circumstances: + +- [The Surface Hub or its related accounts have entered an unstable state](#recover-a-surface-hub-in-a-bad-state) +- [The Surface Hub is locked](#recover-a-locked-surface-hub) + +>[!IMPORTANT] +>The **Recover from the cloud** process requires an open internet connection (no proxy or other authentications). An ethernet connection is recommended. ### Recover a Surface Hub in a bad state -If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. +If the device account gets into an unstable state or if the administrator account encounters problems, you can use the Settings app to start the cloud recovery process. You should only use the cloud recovery process when the [device reset](#reset-a-surface-hub) process doesn't fix the problem. -1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**. +1. On your Surface Hub, select **Settings** > **Update & security** > **Recovery**. -2. Under **Recover from the cloud**, click **Restart now**. +1. Under **Recover from the cloud**, select **Restart now**. - ![recover from the cloud](images/recover-from-the-cloud.png) + ![recover from the cloud](images/recover-from-the-cloud.png) ### Recover a locked Surface Hub -On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). +On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device automatically restarts and tries the operation again. But if this operation fails repeatedly, the device automatically locks to protect user data. To unlock it, you must [reset the device](#reset-a-surface-hub) or, if that doesn't work, recover it from the cloud. -1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](surface-hub-site-readiness-guide.md) for help with locating the power switch. -2. The device should automatically boot into Windows RE. -3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) +1. Locate the power switch on the bottom of Surface Hub. The power switch is next to the power cord connection. For more information about the power switch, see the [Surface Hub Site Readiness Guide (PDF)](surface-hub-site-readiness-guide.md). - ![Recover from the cloud](images/recover-from-cloud.png) +1. While the Surface Hub displays the Welcome screen, use the power switch to turn off the Surface Hub. -4. Enter the Bitlocker key (if prompted). -5. When prompted, select **Reinstall**. +1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again. + +1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen. + +1. Select **Advanced Options**. + +1. Select **Recover from the cloud**. (Optionally, you can select **Reset**. However, **Recover from the cloud** is the recommended approach.) + + ![Recover from the cloud](images/recover-from-cloud.png) +1. If you are prompted to enter the Bitlocker key, do one of the following: + + - To preserve the information that Bitlocker protects on the Surface Hub, enter the Bitlocker key. + - To discard the protected information, select **Skip this drive** + +1. When you are prompted, select **Reinstall**. ![Reinstall](images/reinstall.png) -6. Select **Yes** to repartition the disk. +1. To repartition the disk, select **Yes**. - ![Repartition](images/repartition.png) + ![Repartition](images/repartition.png) -Reset will begin after the image is downloaded from the cloud. You will see progress indicators. + First, the recovery process downloads the operating system image from the cloud. -![downloading 97&](images/recover-progress.png) + ![downloading 97&](images/recover-progress.png) + + When the download finishes, the recovery process restores the Surface Hub according to the options that you selected. ## Related topics diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index a3889dc678..cb0a6f3943 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -21,9 +21,9 @@ Unlike standard Room mailboxes that remain disabled by default, you need to enab Create the account using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: -- Calendar processing for every Surface Hub device account. -- Custom auto replies to scheduling requests. -- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy +- Calendar processing for every Surface Hub device account. +- Custom auto replies to scheduling requests. +- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy ## Create account using Microsoft 365 admin center @@ -53,6 +53,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. ### Connect to Exchange Online PowerShell + ``` $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential (Get-Credential) -Authentication Basic –AllowRedirection $ImportResults = Import-PSSession $365Session ``` diff --git a/devices/surface-hub/surface-hub-2s-change-history.md b/devices/surface-hub/surface-hub-2s-change-history.md index 26771c0fb6..19151f0d9a 100644 --- a/devices/surface-hub/surface-hub-2s-change-history.md +++ b/devices/surface-hub/surface-hub-2s-change-history.md @@ -17,6 +17,12 @@ ms.localizationpriority: Normal This topic summarizes new and updated content in the Surface Hub 2S documentation library. +## August 2019 + +Changes | Description +|:--- |:--- +|Connect devices to Surface Hub 2S| Updated with guidance for connecting to a second display. + ## July 2019 Changes | Description @@ -25,7 +31,6 @@ Changes | Description | Surface Hub 2S tech specs | Updated power consumption data | | Surface Hub 2S Adoption Kit | New | - ## June 2019 Changes | Description diff --git a/devices/surface-hub/surface-hub-2s-connect.md b/devices/surface-hub/surface-hub-2s-connect.md index 30eb0d5579..9422e7facc 100644 --- a/devices/surface-hub/surface-hub-2s-connect.md +++ b/devices/surface-hub/surface-hub-2s-connect.md @@ -14,82 +14,114 @@ ms.localizationpriority: Normal --- # Connect devices to Surface Hub 2S - Surface Hub 2S lets you connect external devices, mirror the display on Surface Hub 2S to another device, and connect a wide variety of third-party peripherals including video conference cameras, conference phones, and room system devices. -## Connect external PCs and related devices - You can display content from your devices to Surface Hub 2S. If the source device is Windows-based, that device can also provide TouchBack and InkBack, which takes video and audio from the connected device and presents them on Surface Hub 2S. If Surface Hub 2S encounters a High-Bandwidth Digital Content Protection (HDCP) signal, such as a Blu-ray DVD player, the source is displayed as a black image. > [!NOTE] -> Surface Hub 2S uses the video input selected until a new connection is made, the existing connection is disrupted, or the Connect App is closed. +> Surface Hub 2S uses the video input selected until a new connection is made, the existing connection is disrupted, or the Connect app is closed. -## Recommended wired configurations for connecting to Surface Hub 2S +## Recommended wired configurations In general, it’s recommended to use native cable connections whenever possible such as USB-C to USB-C or HDMI to HDMI. Other combinations such as MiniDP to HDMI or MiniDP to USB-C will also work. -|**Mode**|**Connection**|**Functionality**|**Comments**| -|:---- |:---------- |:------------ |:-------- | -| Wired “Connect” Application | USB-C (via compute module) | Video, audio, TouchBack/InkBack into Surface Hub 2S.| Provides video, audio, and TouchBack/InkBack on a single cable. | -| | HDMI + USB-C | HDMI-in for Audio/Video
USB-C for TouchBack/InkBack | USB-C supports TouchBack/InkBack with the HDMI A/V connection

Use USB-C to USB-A to connect to legacy computers

*NOTE: For best results, connect HDMI before connecting USB-C cable. If the computer you are using for HDMI is not compatible with TouchBack and InkBack, you won't need a USB-C cable.* | -| “Source” selection experience
(bypasses the OS, full screen requires source selection with keypad button) | USB-C (port in compute module) | Video, Audio into Surface Hub 2S | Single cable needed for A/V
Touchback/InkBack not supported
HDCP enabled | -| | HDMI (in port) | Video, Audio into Surface Hub 2S | Single cable needed for A/V
TouchBack/InkBack not supported
HDCP enabled | +| **Connection** | **Functionality** | **Description**| +| --- | --- | ---| +| USB-C
(via compute module) | Video-in
Video-out
Audio-in
Audio-out

TouchBack and InkBack | Provides video, audio, and TouchBack/InkBack on a single cable.

**NOTE:** Some configuration is required to optimize the video-out experience. Refer to the section below: [Mirroring Surface Hub 2S display on another device](#). | +| HDMI + USB-C | HDMI-in for audio and video

USB-C for TouchBack and InkBack | USB-C supports TouchBack and InkBack with the HDMI A/V connection.

Use USB-C to USB-A to connect to legacy computers.

**NOTE:** For best results, connect HDMI before connecting a USB-C cable. If the computer you're using for HDMI is not compatible with TouchBack and InkBack, you won't need a USB-C cable. | +| USB-C
(via compute module) | Video-in
Audio-in | Single cable needed for A/V

TouchBack and InkBack not supported

HDCP enabled | +| HDMI (in port) | Video, Audio into Surface Hub 2S | Single cable needed for A/V

TouchBack and InkBack not supported

HDCP enabled | +| MiniDP 1.2 output | Video-out such as mirroring to a larger projector. | Single cable needed for A/V | -When you connect a guest computer to Surface Hub 2S via the wired connect USB-C port, several USB devices are discovered and configured. These peripheral devices are created for TouchBack and InkBack. As shown in the table below, the peripheral devices can be viewed in Device Manager, which will show duplicate names for some devices. +When you connect a guest computer to Surface Hub 2S via the USB-C port, several USB devices are discovered and configured. These peripheral devices are created for TouchBack and InkBack. As shown in the following table, the peripheral devices can be viewed in Device Manager, which will show duplicate names for some devices, as shown in the following table. -|**Peripheral**|**Listing in Device Manager**| -|:---------- |:------------------------- | -| Human interface devices | HID-compliant consumer control device
HID-compliant pen
HID-compliant pen (duplicate item)
HID-compliant pen (duplicate item)
HID-compliant touch screen
USB Input Device
USB Input Device (duplicate item) | + +|**Peripheral**| **Listing in Device Manager** | +| ---------------------------- |------------- | ------------------------------| +| Human interface devices | HID-compliant consumer control device
HID-compliant pen
HID-compliant pen (duplicate item)
HID-compliant pen (duplicate item)
HID-compliant touch screen
USB Input Device
USB Input Device (duplicate item) | | Keyboards | Standard PS/2 keyboard | | Mice and other pointing devices | HID-compliant mouse | -| USB controllers | Generic USB hub
USB composite device | +| USB controllers | Generic USB hub
USB composite device | -### Connecting video-in to Surface Hub 2S +## Connecting video-in to Surface Hub 2S -Your choice of video cable will be determined by what is available from your source input. Surface Hub 2S has two choices of video input: USB-C and HDMI. See the following chart for available resolutions. +You can input video to Surface Hub 2S using USB-C or HDMI, as indicated in the following table. -|**Signal Type**|**Resolution**|**Frame rate**|**HDMI**|**USB-C**| -|:----------- |:----------- |:---------- |:---- |:----- | -| PC | 640 x 480 | 59.94/60 | X | X | -| PC | 720 x 480 | 59.94/60 | X | X | -| PC | 1024 x 768 | 60 | X | X | -| PC | 1920 x 1080 | 60 | X | X | -| PC | 3840x2560 | 60 | X | X | -| HDTV | 720p | 59.94/60 | X | X | -| HDTV | 1080p | 59.94/60 | X | X | -| UHD | 3840x2560 | 60 | X | X | +### Surface Hub 2S video-in settings + +| **Signal Type** | **Resolution** | **Frame rate** | **HDMI** | **USB-C** | +| --------------- | -------------- | -------------- | -------- | --------- | +| PC | 640 x 480 | 60 | X | X | +| PC | 720 x 480 | 60 | X | X | +| PC | 1024 x 768 | 60 | X | X | +| PC | 1920 x 1080 | 60 | X | X | +| PC | 3840x2560 | 30 | X | X | +| HDTV | 720p | 60 | X | X | +| HDTV | 1080p | 60 | X | X | +| 4K UHD | 3840x2560 | 30 | X | X | + +> [!NOTE] +> The 4K UHD resolution (3840×2560) is only supported when connecting to ports on the compute module. It is not supported on the “guest” USB ports located on the left, top, and right sides of the device. + +> [!NOTE] +> Video from a connected external PC may appear smaller when displayed on Surface Hub 2S. ## Mirroring Surface Hub 2S display on another device -Surface Hub 2S includes a Video Out port for mirroring visual content from Surface Hub 2S to another display. +You can output video to another display using either USB-C or MiniDP, as indicated in the following table. -|**MODE**|**Connection**|**Functionality**|**Comments**| -|:---- |:---------- |:------------- |:-------- | -| Display out | MiniDP output port | Display and audio out (support for duplicate mode only) | Requires external keyboard
Win+P and select Duplicate mode
Supports audio out (configurable via settings) | +### Surface Hub 2S video-out settings -### Selecting cables +| **Signal Type** | **Resolution** | **Frame rate** | **USB-C** | **MiniDP** | +| --------------- | -------------- | -------------- | --------- | ---------- | +| PC | 640 x 480 | 60 | X | X | +| PC | 720 x 480 | 60 | X | X | +| PC | 1024 x 768 | 60 | X | X | +| PC | 1920 x 1080 | 60 | X | X | +| PC | 3840x2560 | 60 | X | X | +| HDTV | 720p | 60 | X | X | +| HDTV | 1080p | 60 | X | X | +| 4K UHD | 3840x2560 | 60 | X | X | -DisplayPort cables are certified for to 3 meters in length. If a long cable is necessary, HDMI is recommended due to the wide availability of cost-effective, long-haul cables with the added benefit of installing repeaters if needed. + +Surface Hub 2S includes a MiniDP video-out port for projecting visual content from Surface Hub 2S to another display. If you plan to use Surface Hub 2S to project to another display, note the following recommendations: + +- **Keyboard required.** Before you begin, you’ll need to connect either a wired or Bluetooth-enabled external keyboard to Surface Hub 2S. Note that unlike the original Surface Hub, a keyboard for Surface Hub 2S is sold separately and is not included in the shipping package.

+- **Set duplicate mode.** Surface Hub 2S supports video-out in duplicate mode only. However, you will still need to manually configure the display mode when you connect for the first time: + 1. Enter the **Windows logo key** + **P**, which opens the Project pane on the right side of Surface Hub 2S, and then select **Duplicate** mode. + 2. When you’re finished with your Surface Hub 2S session, select **End Session**. This ensures that the duplicate setting is saved for the next session.

+- **Plan for different aspect ratios.** Like other Surface devices, Surface Hub 2S uses a 3:2 display aspect ratio (the relationship between the width and the height of the display). Projecting Surface Hub 2S onto displays with different aspect ratios is supported. Note however that because Surface Hub 2S duplicates the display, the MiniDP output will also only display in a 3:2 aspect ratio, which may result in letterboxing or curtaining depending on the aspect ratio of the receiving display. + +> [!NOTE] +> if your second monitor uses a 16:9 aspect ratio (the predominant ratio for most TV monitors), black bars may appear on the left and right sides of the mirrored display. If this occurs, you may wish to inform your users that there is no need to adjust the second display. + +## Selecting cables + +Note the following recommendations: + +- **USB.** USB 3.1 Gen 2 cables. +- **MiniDP.** DisplayPort cables certified for up to 3 meters in length. +- **HDMI.** If a long cable is necessary, HDMI is recommended due to the wide availability of cost-effective, long-haul cables with the ability to install repeaters if needed. > [!NOTE] > Most DisplayPort sources will automatically switch to HDMI signaling if HDMI is detected. ## Wirelessly connect to Surface Hub 2S -Windows 10 natively supports Miracast, which lets you wireless connect to Surface Hub 2S. +Windows 10 natively supports Miracast, which lets you wireless connect to Surface Hub 2S.

-### To connect using Miracast +### To connect using Miracast: -1. On your Windows 10 device, enter **Win** + **K**. +1. On your Windows 10 device, enter **Windows logo key** + **K**. 2. In the Connect window, look for the name of your Surface Hub 2S in the list of nearby devices. You can find the name of your Surface Hub 2S in the bottom left corner of the display. -3. If required, your system administrator may have enabled the PIN setting for Miracast connections on your Surface Hub which means that the first time you connect to that Surface Hub, a PIN number is displayed on the screen. +3. Enter a PIN if your system administrator has enabled the PIN setting for Miracast connections. This requires you to enter a PIN number when you connect to Surface Hub 2S for the first time. > [!NOTE] -> If you’re a local administrator on Surface Hub 2S, you can configure PIN requirements via **Surface app > Settings.** +>If you do not see the name of the Surface Hub 2S device as expected, it’s possible the previous session was prematurely closed. If so, sign into Surface Hub 2S directly to end the previous session and then connect from your external device. ## Connecting peripherals to Surface Hub 2S -## Bluetooth accessories +### Bluetooth accessories You can connect the following accessories to Surface Hub-2S using Bluetooth: @@ -99,4 +131,4 @@ You can connect the following accessories to Surface Hub-2S using Bluetooth: - Speakers > [!NOTE] -> After you connect a Bluetooth headset or speaker, you might need to change the default microphone and speaker settings. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md). +> After you connect a Bluetooth headset or speaker, you might need to change the default microphone and speaker settings. For more information, see [**Local management for Surface Hub settings**](https://docs.microsoft.com/en-us/surface-hub/local-management-surface-hub-settings). diff --git a/devices/surface-hub/surface-hub-2s-install-mount.md b/devices/surface-hub/surface-hub-2s-install-mount.md index cd82888480..53a75568d1 100644 --- a/devices/surface-hub/surface-hub-2s-install-mount.md +++ b/devices/surface-hub/surface-hub-2s-install-mount.md @@ -34,4 +34,3 @@ If you’re not using licensed accessories, see [Customize wall mount of Surface | Get someone to help you lift and mount your Surface Hub. Make sure to hold and lift the Surface Hub from the bottom. | ![* Remove the instructional label before mounting *](images/sh2-setup-3.png)
| | 4. **Attach accessories and power on** | | | Install accessories and attach power cable as shown. See guides on the screen cling. Remove cling wrap from the screen. Press the power button to power on. | ![* Attach accessories and power on *](images/sh2-setup-4.png)
| - diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index 4b781ad9c3..d42810f20f 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -48,9 +48,9 @@ To ensure optimal video and audio quality on Surface Hub 2S, add the following Q |**Name**|**Description**|**OMA-URI**|**Type**|**Value**| |:------ |:------------- |:--------- |:------ |:------- | -|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000–50019 | +|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | |**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020–50039 | +|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | |**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | > [!NOTE] diff --git a/devices/surface-hub/surface-hub-2s-onscreen-display.md b/devices/surface-hub/surface-hub-2s-onscreen-display.md index d81ad4a0d1..7a2664bf01 100644 --- a/devices/surface-hub/surface-hub-2s-onscreen-display.md +++ b/devices/surface-hub/surface-hub-2s-onscreen-display.md @@ -13,9 +13,10 @@ ms.date: 07/09/2019 ms.localizationpriority: Normal --- # Adjust Surface Hub 2S brightness, volume, and input + Surface Hub 2S provides an on-screen display for volume, brightness, and input control. The Source button functions as a toggle key to switch between the volume, brightness, and input control menus. -**To show the on-screen display:** +## To show the on-screen display - Press and hold the **Source** button for 4 seconds. @@ -23,16 +24,16 @@ Surface Hub 2S provides an on-screen display for volume, brightness, and input c When the on-screen display is visible, use one or more buttons to reach desired settings. -**To adjust volume:** +## To adjust volume - Use the **Volume up/down** button to increase or decrease volume. -**To adjust brightness:** +## To adjust brightness 1. Press the **Source** button again to switch to the brightness menu. 2. Use the **Volume up/down** button to increase or decrease brightness. -**To adjust input:** +## To adjust input 1. Press the **Source** button twice to switch to the Source menu. 2. Use the **Volume up/down** button to switch between PC, HDMI, and USB-C inputs. diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md index 1b6f56eda7..9773d4a735 100644 --- a/devices/surface-hub/surface-hub-2s-phone-authenticate.md +++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md @@ -20,7 +20,7 @@ Password-less phone sign-in simplifies signing-in to your meetings and files on > [!NOTE] > Password-less phone sign-in requires that your primary email address must match your UPN. -## To set up password-less phone sign-in +## To set up password-less phone sign-in 1. Download the [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator) app for iPhone or Android to your phone. 2. From your PC, go to [https://aka.ms/MFASetup](https://aka.ms/MFASetup) , sign in with your account, and select **Next.** diff --git a/devices/surface-hub/surface-hub-2s-port-keypad-overview.md b/devices/surface-hub/surface-hub-2s-port-keypad-overview.md index f7e59545a2..92555790c3 100644 --- a/devices/surface-hub/surface-hub-2s-port-keypad-overview.md +++ b/devices/surface-hub/surface-hub-2s-port-keypad-overview.md @@ -41,4 +41,3 @@ The figure below shows the location of ports and physical buttons on a keypad at | 11 | **Power** | Power device on/off.
Use also to navigate display menus and select items. | n/a | ![Rear facing view of wireless, audio, & related components](images/hub2s-rear.png) - diff --git a/devices/surface-hub/surface-hub-2s-quick-start.md b/devices/surface-hub/surface-hub-2s-quick-start.md index 9ca02f89ce..518e43405c 100644 --- a/devices/surface-hub/surface-hub-2s-quick-start.md +++ b/devices/surface-hub/surface-hub-2s-quick-start.md @@ -13,7 +13,7 @@ ms.date: 06/20/2019 ms.localizationpriority: Normal --- -# Surface Hub 2S quick start +# Surface Hub 2S quick start ## Unpack Surface Hub 2S diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 71dcfa24c1..263228238b 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -55,4 +55,4 @@ On rare occasions, Surface Hub 2S may encounter an error during cleanup of user Reset or recover the device from Windows Recovery Environment (Windows RE). For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx) > [!NOTE] -> To enter recovery mode, you need to physically unplug and replug the power cord three times. \ No newline at end of file +> To enter recovery mode, you need to physically unplug and replug the power cord three times. diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 5e8872b4a8..a987a80d26 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -98,4 +98,3 @@ If you insert a USB thumb drive with a provisioning package into one of the USB ![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png)
4. Follow the instructions to complete first time Setup. - diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 881dfa5e4b..568e515039 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -26,6 +26,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Addresses an issue with log collection for Microsoft Surface Hub 2S. +* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4503289](https://support.microsoft.com/help/4503289) +
+
May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835) @@ -484,4 +496,4 @@ This update to the Surface Hub includes quality improvements and security fixes. * [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327) * [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968) -* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) \ No newline at end of file +* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 2c8a3793a6..e921c71e09 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -34,7 +34,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m - Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet - Surface Hub needs to be updated to Windows 10, version 1607 or newer - Port 443 needs to be open since Whiteboard makes standard https requests -- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies +- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies >[!NOTE] @@ -68,4 +68,5 @@ After you’re done, you can export a copy of the Whiteboard collaboration for y ## Related topics - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) -- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) + +- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) diff --git a/education/images/MSC17_cloud_005.png b/education/images/MSC17_cloud_005.png new file mode 100644 index 0000000000..dfda08109c Binary files /dev/null and b/education/images/MSC17_cloud_005.png differ diff --git a/education/images/MSC17_cloud_012_merged.png b/education/images/MSC17_cloud_012_merged.png new file mode 100644 index 0000000000..4defcaa59c Binary files /dev/null and b/education/images/MSC17_cloud_012_merged.png differ diff --git a/education/index.md b/education/index.md index 7db140e12d..f07f216119 100644 --- a/education/index.md +++ b/education/index.md @@ -32,7 +32,7 @@ ms.prod: w10
- +
@@ -51,7 +51,7 @@ ms.prod: w10
- +
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index e3c51dea05..8f8f6c6aa2 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: medium author: mjcaparas ms.author: macapara -ms.date: 04/30/2018 +ms.date: 07/30/2019 ms.reviewer: manager: dansimp --- @@ -90,7 +90,7 @@ Check with your device manufacturer before trying Windows 10 in S mode on your d | HP | Huawei | I Life | | iNET | Intel | LANIT Trading | | Lenovo | LG | MCJ | -| Micro P/Exertis | Microsoft | MSI | +| Micro P/Exertis | Microsoft | MSI | | Panasonic | PC Arts | Positivo SA | | Positivo da Bahia | Samsung | Teclast | | Thirdwave | Tongfang | Toshiba | diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index 324327c269..3832e088c4 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -1,7 +1,7 @@ --- title: Advanced Group Policy Management description: Advanced Group Policy Management -author: jamiejdt +author: dansimp ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0 ms.pagetype: mdop ms.mktglfcycl: manage diff --git a/mdop/appv-v4/index.md b/mdop/appv-v4/index.md index 8f75ce1701..18986550cc 100644 --- a/mdop/appv-v4/index.md +++ b/mdop/appv-v4/index.md @@ -1,7 +1,7 @@ --- title: Application Virtualization 4 description: Application Virtualization 4 -author: jamiejdt +author: dansimp ms.assetid: 9da557bc-f433-47d3-8af7-68ec4ff9bd3f ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md index ca33b4be38..c51ad7bc30 100644 --- a/mdop/appv-v5/index.md +++ b/mdop/appv-v5/index.md @@ -1,7 +1,7 @@ --- title: Application Virtualization 5 description: Application Virtualization 5 -author: jamiejdt +author: dansimp ms.assetid: e82eb44b-9ccd-41aa-923b-71400230ad23 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/mdop/dart-v10/index.md b/mdop/dart-v10/index.md index ca199090fb..5d88fce5c0 100644 --- a/mdop/dart-v10/index.md +++ b/mdop/dart-v10/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 10 description: Diagnostics and Recovery Toolset 10 -author: jamiejdt +author: dansimp ms.assetid: 64403eca-ff05-4327-ac33-bdcc96e706c8 ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/dart-v7/index.md b/mdop/dart-v7/index.md index 9dfe1fceaf..c4afe5d9d3 100644 --- a/mdop/dart-v7/index.md +++ b/mdop/dart-v7/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 7 Administrator's Guide description: Diagnostics and Recovery Toolset 7 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: bf89eccd-fc03-48ff-9019-a8640e11dd99 ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md index 4f39c5a258..346bf905a0 100644 --- a/mdop/dart-v8/index.md +++ b/mdop/dart-v8/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 8 Administrator's Guide description: Diagnostics and Recovery Toolset 8 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 33685dd7-844f-4864-b504-3ef384ef01de ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/index.md b/mdop/index.md index 78fffc67fd..93ce634a80 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -2,7 +2,7 @@ title: MDOP Information Experience description: MDOP Information Experience ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52 -author: jamiejdt +author: dansimp ms.pagetype: mdop ms.mktglfcycl: manage ms.sitesec: library diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md index 4424f1bfa5..a5e8ee0170 100644 --- a/mdop/mbam-v1/index.md +++ b/mdop/mbam-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 4086e721-db24-4439-bdcd-ac5ef901811f ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md index 7f73c171c5..0582083a34 100644 --- a/mdop/mbam-v2/index.md +++ b/mdop/mbam-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: fdb43f62-960a-4811-8802-50efdf04b4af ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index a24a6d32c9..3013d8a294 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -19,7 +19,7 @@ author: shortpatti This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157) +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345) #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 244e0ae818..e5988391c0 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 2.5 description: Microsoft BitLocker Administration and Monitoring 2.5 -author: jamiejdt +author: dansimp ms.assetid: fd81d7de-b166-47e8-b6c7-d984830762b6 ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/medv-v1/index.md b/mdop/medv-v1/index.md index 807accc058..42f4387220 100644 --- a/mdop/medv-v1/index.md +++ b/mdop/medv-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide description: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide -author: jamiejdt +author: dansimp ms.assetid: 7bc3e120-df77-4f4c-bc8e-7aaa4c2a6525 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/medv-v2/index.md b/mdop/medv-v2/index.md index 5c86cb32d1..faa965a4f7 100644 --- a/mdop/medv-v2/index.md +++ b/mdop/medv-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Enterprise Desktop Virtualization 2.0 description: Microsoft Enterprise Desktop Virtualization 2.0 -author: jamiejdt +author: dansimp ms.assetid: 84109be0-4613-42e9-85fc-fcda8de6e4c4 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/solutions/index.md b/mdop/solutions/index.md index 6183633995..98575f68c7 100644 --- a/mdop/solutions/index.md +++ b/mdop/solutions/index.md @@ -1,7 +1,7 @@ --- title: MDOP Solutions and Scenarios description: MDOP Solutions and Scenarios -author: jamiejdt +author: dansimp ms.assetid: 1cb18bef-fbae-4e96-a4f1-90cf111c3b5f ms.pagetype: mdop ms.mktglfcycl: deploy diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md index 49e6e8a74c..1c16c18b22 100644 --- a/mdop/uev-v1/index.md +++ b/mdop/uev-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft User Experience Virtualization (UE-V) 1.0 description: Microsoft User Experience Virtualization (UE-V) 1.0 -author: jamiejdt +author: dansimp ms.assetid: 7c2b59f6-bbe9-4373-8b08-c1738665a37b ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 5e5f69c25f..b0a92410ba 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft User Experience Virtualization (UE-V) 2.x description: Microsoft User Experience Virtualization (UE-V) 2.x -author: jamiejdt +author: dansimp ms.assetid: b860fed0-b846-415d-bdd6-ba60231a64be ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 7edad5cf25..878b065aa7 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,7 +17,7 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution. +This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. ## Scenarios diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7018d14a99..79fb1d0045 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 04/30/2018 +ms.date: 07/25/2019 --- # AppLocker CSP @@ -156,22 +156,8 @@ Each of the previous nodes contains one or more of the following leaf nodes:

Policy

Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

-

Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

-

For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64.

-

Here is a sample certutil invocation:

- -``` -certutil -encode WinSiPolicy.p7b WinSiPolicy.cer -``` - -

An alternative to using certutil would be to use the following PowerShell invocation:

- -``` -[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) -``` - -

If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.

-

Data type is string. Supported operations are Get, Add, Delete, and Replace.

+

For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

+

For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.

EnforcementMode

@@ -186,6 +172,8 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +> [!NOTE] +> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP. ## Find publisher and product name of apps @@ -1693,119 +1681,145 @@ In this example, Contoso is the node name. We recommend using a GUID for this no chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + - - + + - - - - - - + + - - - - + + - - - - - - + + - - - - + + - - - - - - + + - - - - + + - - + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index f374eaec31..9f3f924a14 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/04/2017 +ms.date: 07/29/2019 ms.reviewer: manager: dansimp --- @@ -15,6 +15,8 @@ manager: dansimp Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. + Requirements: - AD-joined PC running Windows 10, version 1709 or later - The enterprise has configured a mobile device management (MDM) service @@ -22,25 +24,66 @@ Requirements: - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) > [!TIP] -> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) +> For additional information, see the following topics: +> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) +> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan) +> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm) -To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line. - -Here is a partial screenshot of the result: - -![device status result](images/autoenrollment-device-status.png) - -The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. -When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. +When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. See [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) to learn more. +In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. +## Verify auto-enrollment requirements and settings +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +The following steps demonstrate required settings using the Intune service: +1. Verify that the user who is going to enroll the device has a valid Intune license. + + ![Intune license verification](images/auto-enrollment-intune-license-verification.png) + +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues. + + ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) + +3. Verify that the device OS version is Windows 10, version 1709 or later. +4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. + + You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. + + ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png) + + Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. + + ![Auto-enrollment azure AD prt verification](images/auto-enrollment-azureadprt-verification.png) + + This information can also be found on the Azure AD device list. + + ![Azure AD device list](images/azure-ad-device-list.png) + +5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery. + + ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png) + +6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. + + ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) + +7. Verify that the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. +You may contact your domain administrators to verify if the group policy has been deployed successfully. + +8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). +9. Verify that Azure AD allows the logon user to enroll devices. + ![Azure AD device settings](images/auto-enrollment-azure-ad-device-settings.png) +10. Verify that Microsoft Intune should allow enrollment of Windows devices. + ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png) + ## Configure the auto-enrollment Group Policy for a single PC This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). @@ -131,6 +174,50 @@ Requirements: > [!NOTE] > Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903). +## Troubleshoot auto-enrollment of devices +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. + +To collect Event Viewer logs: + +1. Open Event Viewer. +2. Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin. + + > [!Tip] + > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). + +3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully: + ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png) + + If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons: + - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed: + ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png) + To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information. + - The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. + + The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot: + ![Task scheduler](images/auto-enrollment-task-scheduler.png) + + This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs: + Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational. + Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. + + ![Event ID 107](images/auto-enrollment-event-id-107.png) + + When the task is completed, a new event ID 102 is logged. + ![Event ID 102](images/auto-enrollment-event-id-102.png) + + Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. + + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: + + ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) + + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016. + A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot: + + ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) + ### Related topics - [Group Policy Management Console](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx) @@ -140,6 +227,6 @@ Requirements: - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) + - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) - +- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) diff --git a/windows/client-management/mdm/images/auto-enrollment-activation-verification-less-entries.png b/windows/client-management/mdm/images/auto-enrollment-activation-verification-less-entries.png new file mode 100644 index 0000000000..ef727d0fcd Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-activation-verification-less-entries.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-activation-verification.png b/windows/client-management/mdm/images/auto-enrollment-activation-verification.png new file mode 100644 index 0000000000..9b1667a307 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-activation-verification.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-azure-ad-device-settings.png b/windows/client-management/mdm/images/auto-enrollment-azure-ad-device-settings.png new file mode 100644 index 0000000000..802d843215 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-azure-ad-device-settings.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-azureadprt-verification.png b/windows/client-management/mdm/images/auto-enrollment-azureadprt-verification.png new file mode 100644 index 0000000000..8b0d779216 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-azureadprt-verification.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-device-status-result.png b/windows/client-management/mdm/images/auto-enrollment-device-status-result.png new file mode 100644 index 0000000000..7f51dc49b8 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-device-status-result.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-enrollment-of-windows-devices.png b/windows/client-management/mdm/images/auto-enrollment-enrollment-of-windows-devices.png new file mode 100644 index 0000000000..5f7fb2c44b Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-enrollment-of-windows-devices.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-event-id-102.png b/windows/client-management/mdm/images/auto-enrollment-event-id-102.png new file mode 100644 index 0000000000..39383a6d1c Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-event-id-102.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-event-id-107.png b/windows/client-management/mdm/images/auto-enrollment-event-id-107.png new file mode 100644 index 0000000000..ae6a64c677 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-event-id-107.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-intune-license-verification.png b/windows/client-management/mdm/images/auto-enrollment-intune-license-verification.png new file mode 100644 index 0000000000..aecb539266 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-intune-license-verification.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-mdm-discovery-url.png b/windows/client-management/mdm/images/auto-enrollment-mdm-discovery-url.png new file mode 100644 index 0000000000..6a6aee040f Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-mdm-discovery-url.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-microsoft-intune-setting.png b/windows/client-management/mdm/images/auto-enrollment-microsoft-intune-setting.png new file mode 100644 index 0000000000..8067b2c611 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-microsoft-intune-setting.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-outdated-enrollment-entries.png b/windows/client-management/mdm/images/auto-enrollment-outdated-enrollment-entries.png new file mode 100644 index 0000000000..20285204d4 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-outdated-enrollment-entries.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-task-scheduler.png b/windows/client-management/mdm/images/auto-enrollment-task-scheduler.png new file mode 100644 index 0000000000..91f85e0a3d Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-task-scheduler.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-75.png b/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-75.png new file mode 100644 index 0000000000..8dbc3e57b0 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-75.png differ diff --git a/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-76.png b/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-76.png new file mode 100644 index 0000000000..7f222a32c7 Binary files /dev/null and b/windows/client-management/mdm/images/auto-enrollment-troubleshooting-event-id-76.png differ diff --git a/windows/client-management/mdm/images/azure-ad-device-list.png b/windows/client-management/mdm/images/azure-ad-device-list.png new file mode 100644 index 0000000000..607c36c307 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-device-list.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png index 8f804b9185..92585d5426 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 34d2a618b4..f12fe88286 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -56,6 +56,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [August 2019](#august-2019) - [July 2019](#july-2019) - [June 2019](#june-2019) - [May 2019](#may-2019) @@ -139,12 +140,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s +ApplicationControl CSP +

Added new CSP in Windows 10, version 1903.

+ + EnrollmentStatusTracking CSP

Added new CSP in Windows 10, version 1903.

-ApplicationControl CSP -

Added new CSP in Windows 10, version 1903.

+PassportForWork CSP +

Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin

@@ -1887,12 +1892,19 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### August 2019 + +|New or updated topic | Description| +|--- | ---| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| + ### July 2019 |New or updated topic | Description| |--- | ---| |[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2| |[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| +|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin| |[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| |Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider| diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 63bdce6713..b7b64e75fe 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -9,14 +9,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/31/2018 +ms.date: 07/19/2019 --- # PassportForWork CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] @@ -231,8 +228,6 @@ If you set this policy to true, Windows requires all users on managed devices to Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. - - Supported operations are Add, Get, Delete, and Replace. *Not supported on Windows Holographic and Windows Holographic for Business.* @@ -269,6 +264,23 @@ Added in Windows 10, version 1803. List of plugins (comma separated) that the pa Value type is string. Supported operations are Add, Get, Replace, and Delete. +**SecurityKey** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1903. Interior node. + +Scope is permanent. Supported operation is Get. + + +**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT) +Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. + +Scope is dynamic. Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. + +Valid values: +- 0 (default) - disabled. +- 1 - enabled. + ## Examples Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index f9dcc69e22..7eaea8a237 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -9,19 +9,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 07/26/2017 +ms.date: 07/29/2019 --- # PassportForWork DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1903. ```xml @@ -47,7 +44,7 @@ The XML below is for Windows 10, version 1809. - com.microsoft/1.5/MDM/PassportForWork + com.microsoft/1.6/MDM/PassportForWork @@ -1264,7 +1261,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re False - Enables/Disables Dynamic Lock + Enables/Disables Dyanamic Lock @@ -1304,6 +1301,52 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re + + SecurityKey + + + + + Security Key + + + + + + + + + + + + + + + UseSecurityKeyForSignin + + + + + + + + 0 + Use security key for signin. 0 is disabled. 1 is enable. If you do not configure this policy setting, the default is disabled. + + + + + + + + + + + text/plain + + + + ``` diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index fa57936276..bbe21777b6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -68,7 +68,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2cde6940fa..ff9c230e83 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 Prerelease +>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds). ```xml @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ``` ## [Preview] Folder Access sample xml -In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease. +In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds). IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. @@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 Prerelease. +>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds). Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release ``` -Schema for Windows 10 prerelease +Schema for Windows 10 Insider Preview (19H2, 20H1 builds) ```xml ``` -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml [!Note] +> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server. + ### MDT enables dynamic deployment When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index fe17e6fb8e..8f1ed4e10d 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -69,6 +69,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -78,6 +79,7 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` >[!NOTE] diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 59f1889887..a7e4b0a82e 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -116,7 +116,7 @@ For the payloads (optional): **Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. -**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). ## Troubleshooting diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 9e0f207f1f..b4d7c089e3 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -19,7 +19,7 @@ ms.collection: M365-modern-desktop > > **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** -Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates. The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 8edef39950..91adf217f6 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -3,6 +3,7 @@ title: Monitor activation (Windows 10) ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 ms.reviewer: manager: laurawi +audience: itpro ms.author: greglin description: keywords: vamt, volume activation, activation, windows activation @@ -12,35 +13,33 @@ ms.sitesec: library ms.pagetype: activation author: greg-lindsay ms.localizationpriority: medium -ms.date: 07/27/2017 ms.topic: article --- # Monitor activation **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 **Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) +- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -You can monitor the success of the activation process for a computer running Windows 8.1 in several ways. The most popular methods include: -- Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) -- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) -- Most licensing actions and events are recorded in the Event log. -- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. -- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. +You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include: +- Using the Volume Licensing Service Center website to track use of MAK keys. +- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) +- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) +- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290). +- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. +- See [Troubleshooting activation error codes](https://docs.microsoft.com/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS). +- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. ## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  +[Volume Activation for Windows 10](volume-activation-windows-10.md) \ No newline at end of file diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index c06bae6554..c86af07eeb 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -143,7 +143,7 @@ In this step, you export VAMT from the workgroup’s host computer and save it i 1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products. 2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. - VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. ## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 4ad5db1e36..5d487c958c 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -25,4 +25,5 @@ ## [FAQ](autopilot-faq.md) ## [Contacts](autopilot-support.md) ## [Registration authorization](registration-auth.md) -## [Device guidelines](autopilot-device-guidelines.md) \ No newline at end of file +## [Device guidelines](autopilot-device-guidelines.md) +## [Motherboard replacement](autopilot-mbr.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md index a081a6f68e..773b0b9110 100644 --- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md +++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md @@ -4,6 +4,7 @@ ms.reviewer: manager: laurawi description: Windows Autopilot deployment keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +audience: itpro ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -20,7 +21,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 ## Hardware and firmware best practice guidelines for Windows Autopilot @@ -42,3 +43,4 @@ The following additional best practices ensure that devices can easily be provis ## Related topics [Windows Autopilot customer consent](registration-auth.md)
+[Motherboard replacement scenario guidance](autopilot-mbr.md)
diff --git a/windows/deployment/windows-autopilot/autopilot-mbr.md b/windows/deployment/windows-autopilot/autopilot-mbr.md new file mode 100644 index 0000000000..d83600279e --- /dev/null +++ b/windows/deployment/windows-autopilot/autopilot-mbr.md @@ -0,0 +1,421 @@ +--- +title: Windows Autopilot motherboard replacement +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment MBR scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +audience: itpro +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot motherboard replacement scenario guidance + +**Applies to** + +- Windows 10 + +This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. + +Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. + +**Motherboard Replacement (MBR)** + +If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: + +1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot +2. [Replace the motherboard](#replace-the-motherboard) +3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) +4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot +5. [Reset the device](#reset-the-device) +6. [Return the device](#return-the-repaired-device-to-the-customer) + +Each of these steps is described below. + +## Deregister the Autopilot device from the Autopilot program + +Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. + +**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. + +**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. + +### Deregister from Intune + +To deregister an Autopilot device from Intune, an IT Admin would: + +1. Sign in to their Intune account +2. Navigate to Intune > Groups > All groups +3. Remove the desired device from its group +4. Navigate to Intune > Devices > All devices +5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu +6. Navigate to Intune > Devices > Azure AD devices +7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu +8. Navigate to Intune > Device enrollment > Windows enrollment > Devices +9. Select the checkbox next to the device you want to deregister +10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” +11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored +12. With the unassigned device still selected, click the Delete button along the top menu to remove this device + +**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. + +The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. + +More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). + +### Deregister from MPC + +To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: + +1. Log into MPC +2. Navigate to Customer > Devices +3. Select the device to be deregistered and click the “Delete device” button + +![devices](images/devices.png) + +**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. + +Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. + +Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: +1. Copy all important data off the device. +2. Let the repair facility know which version of Windows they should reinstall after the repair. +3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. + +## Replace the motherboard + +Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. + +Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: + +- DiskSerialNumber +- SmbiosSystemSerialNumber +- SmbiosSystemManufacturer +- SmbiosSystemProductName +- SmbiosUuid +- TPM EKPub +- MacAddress +- ProductKeyID +- OSType + +**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: +- Verify that the device is still functional +- Disable BitLocker* +- Repair the Boot Configuration Data (BCD) +- Repair and verify the network driver operation + +*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. + +## Capture a new Autopilot device ID (4K HH) from the device + +Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: + +1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). +2. The repair technician boots the device to WinPE. +3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). + + **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. + +4. The repair technician boots the device into the new Windows image. +5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. + +Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). + +Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: + +1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). +2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +>If you are prompted to install the NuGet package, choose **Yes**.
+>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
+>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. + +The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. + +**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. + + +## Reregister the repaired device using the new device ID + +If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. + +### Reregister from Intune + +To reregister an Autopilot device from Intune, an IT Admin would: +1. Sign in to Intune. +2. Navigate to Device enrollment > Windows enrollment > Devices > Import. +3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). + +The following video provides a good overview of how to (re)register devices via MSfB.
+ +> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] + +### Reregister from MPC + +To reregister an Autopilot device from MPC, an OEM or CSP would: + +1. Sign in to MPC. +2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. + +![device](images/device2.png)
+![device](images/device3.png) + +In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. + +**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: + +![hash](images/hh.png) + +## Reset the device + +Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: + +On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. + +![reset](images/reset.png) + +However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). + +## Return the repaired device to the customer + +After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. + +**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. + +**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. + +## Specific repair scenarios + +This section covers the most common repair scenarios, and their impact on Autopilot enablement. + +NOTES ON TEST RESULTS: + +- Scenarios below were tested using Intune only (no other MDMs were tested). +- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. +- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. +- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. +- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) + +In the following table:
+- Supported = **Yes**: the device can be reenabled for Autopilot +- Supported = **No**: the device cannot be reenabled for Autopilot + + +
ScenarioSupportedMicrosoft Recommendation +
Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: + +1. Autopilot device is deregistered from the Autopilot program +2. The motherboard is replace +3. The device is reimaged (with BIOS info and DPK reinjected)* +4. A new Autopilot device ID (4K HH) is captured off the device +5. The repaired device is reregistered for the Autopilot program using the new device ID +6. The repaired device is reset to boot to OOBE +7. The repaired device is shipped back to the customer + +*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. + +
MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. +
MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.)* +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device + +
MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD and WLAN +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes + +1. Deregister old device from which MB will be taken +2. Deregister damaged device (that you want to repair) +3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) +4. Reimage device (to gain access), unless have access to customers’ login credentials +5. Write old device info into BIOS (same s/n, model, etc.) +6. Capture new 4K HH +7. Reregister repaired device +8. Reset device back to OOBE +9. Go through Autopilot OOBE (customer) +10. Autopilot successfully enabled + +NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. + +
BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. + +1. Deregister damaged device +2. Replace motherboard (BIOS does NOT contain device info) +3. Reimage and write DPK into image +4. Capture new 4K HH +5. Reregister repaired device +6. Create Autopilot profile for device +7. Go through Autopilot OOBE (customer) +8. Autopilot FAILS to recognize repaired device + +
MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. + +1. Deregister damaged device +2. Replace motherboard – BIOS does NOT contain DPK info +3. Reimage device (to gain access), unless have access to customers’ login credentials +4. Write device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reset or reimage device to pre-OOBE and write DPK into image +7. Reregister repaired device +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage or rest image to pre-OOBE +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reimage or reset image to pre-OOBE +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. +
Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer + +1. Reimage damaged device +2. Write DPK into image +3. Go through Autopilot OOBE +4. Autopilot successfully enabled (to previous tenant ID) + +
Disk replacement from a non-Autopilot device to an Autopilot deviceYes + +1. Do not deregister damaged device prior to repair +2. Replace HDD on damaged device +3. Reimage or reset image back to OOBE +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled (repaired device recognized as its previous self) + +
Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. + +Assuming the used HDD was previously deregistered (before being used in this repair): + +1. Deregister damaged device +2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device +3. Reimage or rest the repaired device back to a pre-OOBE state +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled + +
Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. +
A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. +
Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. +
GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. +
+ +>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. + +**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: +- Memory (RAM or ROM) +- Power Supply +- Video Card +- Card Reader +- Sound card +- Expansion card +- Microphone +- Webcam +- Fan +- Heat sink +- CMOS battery + +Other repair scenarios not yet tested and verified include: +- Daughterboard replacement +- CPU replacement +- Wifi replacement +- Ethernet replacement + +## FAQ + +| Question | Answer | +| --- | --- | +| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | +| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | +| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | + +## Related topics + +[Device guidelines](autopilot-device-guidelines.md)
diff --git a/windows/deployment/windows-autopilot/images/device2.png b/windows/deployment/windows-autopilot/images/device2.png new file mode 100644 index 0000000000..6f7d1a5df0 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device2.png differ diff --git a/windows/deployment/windows-autopilot/images/device3.png b/windows/deployment/windows-autopilot/images/device3.png new file mode 100644 index 0000000000..adf9c7a875 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/device3.png differ diff --git a/windows/deployment/windows-autopilot/images/devices.png b/windows/deployment/windows-autopilot/images/devices.png new file mode 100644 index 0000000000..a5b0dd1899 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/devices.png differ diff --git a/windows/deployment/windows-autopilot/images/hh.png b/windows/deployment/windows-autopilot/images/hh.png new file mode 100644 index 0000000000..98fbc3cd7b Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hh.png differ diff --git a/windows/deployment/windows-autopilot/images/reset.png b/windows/deployment/windows-autopilot/images/reset.png new file mode 100644 index 0000000000..0619b7fa03 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/reset.png differ diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md index 0b030458a3..d0f30fe153 100644 --- a/windows/deployment/windows-autopilot/index.md +++ b/windows/deployment/windows-autopilot/index.md @@ -57,7 +57,7 @@ This guide is intended for use by an IT-specialist, system architect, or busines Registering devicesThe process of registering a device with the Windows Autopilot deployment service is described. Configuring device profilesThe device profile settings that specifie its behavior when it is deployed are described. Enrollment status pageSettings that are available on the Enrollment Status Page are described. -Bitlocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. +BitLocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. Troubleshooting Windows AutopilotDiagnotic event information and troubleshooting procedures are provided. Known issuesA list of current known issues and solutions is provided. @@ -68,8 +68,9 @@ This guide is intended for use by an IT-specialist, system architect, or busines FAQFrequently asked questions on several topics are provided. Support contactsSupport information is provided. Registration authorizationThis article discusses how a CSP partner or OEM can obtain customer authorization to register Windows Autopilot devices. +Motherboard replacementInformation about how to deal with Autopilot registration and device repair issues is provided. ## Related topics -[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) \ No newline at end of file +[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 3e55879db7..dae9f38910 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -9,6 +9,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy +audience: itpro author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop @@ -20,10 +21,18 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 - @@ -151,7 +150,6 @@ sections:
IssueMore information +
The following known issues are resolved by installing the July 26, 2019 KB4505903 update (OS Build 18362.267): + +- Windows Autopilot white glove does not work for a non-English OS and you see a red screen that says "Success." +- Windows Autopilot reports an AUTOPILOTUPDATE error during OOBE after sysprep, reset or other variations. This typically happens if you reset the OS or used a custom sysprepped image. +- BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption. +- You are unable to install UWP apps from the Microsoft Store, causing failures during Windows Autopilot. If you are deploying Company Portal as a blocking app during Windows Autopilot ESP, you’ve probably seen this error. +- A user is not granted administrator rights in the Windows Autopilot user-driven Hybrid Azure AD join scenario. This is another non-English OS issue. +Download and install the KB4505903 update.

See the section: How to get this update for information on specific release channels you can use to obtain the update.
White glove gives a red screen and the Microsoft-Windows-User Device Registration/Admin event log displays HResult error code 0x801C03F3This can happen if Azure AD can’t find an AAD device object for the device that you are trying to deploy. This will occur if you manually delete the object. To fix it, remove the device from AAD, Intune, and Autopilot, then re-register it with Autopilot, which will recreate the AAD device object.

To obtain troubleshooting logs use: Mdmdiagnosticstool.exe -area Autopilot;TPM -cab c:\autopilot.cab
White glove gives a red screenWhite glove is not supported on a VM. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md index 57c91a67e4..6f157802ae 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md @@ -10,6 +10,7 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay +audience: itpro ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index f16868b269..f5a74dfff8 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -63,10 +63,13 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer) 1. MDM Policy: [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the user’s browsing activity. **Set to Disabled** - 1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled** + 1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value: + 1. **\\** 1. MDM Policy: [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature). Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled** - 1. MDM Policy: [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange). Determines whether users can change the default Home Page or not. **Set to Enabled** - 1. MDM Policy: [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard). Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled** + 1. MDM Policy: [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange). Determines whether users can change the default Home Page or not. **Set to String** with Value: + 1. **\\** + 1. MDM Policy: [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard). Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to String** with Value: + 1. **\\** 1. **Live Tiles** 1. MDM Policy: [Notifications/DisallowTileNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1** @@ -144,8 +147,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. **Windows Update** 1. [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)** 1. Windows Update Allow Update Service - [Update/AllowUpdateService](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** - 1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value next to item below: - 1. \\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\ + 1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value: + 1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\** ### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations @@ -159,6 +162,6 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt |client.wns.windows.com| |dm3p.wns.windows.com| |crl.microsoft.com/pki/crl/*| -|*microsoft.com/pkiops/crl/**| +|*microsoft.com/pkiops/**| |activation-v2.sls.microsoft.com/*| |ocsp.digicert.com/*| diff --git a/windows/release-information/index.md b/windows/release-information/index.md index c80e214ec1..5f7b5e22f9 100644 --- a/windows/release-information/index.md +++ b/windows/release-information/index.md @@ -13,11 +13,11 @@ ms.localizationpriority: high --- # Windows 10 release information -Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel and will be serviced with monthly quality updates for 18 months from the date of the release. +Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel. They will be serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. We recommend that you begin deployment of each Semi-Annual Channel release immediately as a targeted deployment to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. -Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions are serviced for 30 months from their release date. For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). +For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). >[!NOTE] >Beginning with Windows 10, version 1903, this page will no longer list Semi-Annual Channel (Targeted) information for version 1903 and future feature updates. Instead, you will find a single entry for each Semi-Annual Channel release. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523). diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index c8dd852476..0d43d708e8 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -55,7 +55,6 @@ sections:
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Upgrade block: Devices utilizing AMD Radeon HD2000 or HD4000 series video cards may experience issues with the lock screen and Microsoft Edge tabs.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4487044		February 12, 2019
10:00 AM PT
Trend Micro OfficeScan and Worry-Free Business Security AV software not compatible
Upgrade block: Microsoft and Trend Micro identified a compatibility issue with the Trend Micro business endpoint security solutions OfficeScan and Worry-Free Business Security.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
February 01, 2019
09:00 AM PT
Shared albums may not sync with iCloud for Windows
Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
- diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index e791545b58..4e7aae8a05 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,8 @@ sections: - type: markdown text: "
DetailsOriginating updateStatusHistory
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
 
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019 
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.

Resolution: Microsoft has removed the safeguard hold.



Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
Resolved:
May 21, 2019
07:42 AM PT

Opened:
November 13, 2018
10:00 AM PT
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Note: AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).
 
Upgrade block: After updating to Windows 10, version 1809, Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards. Customers may get the following error code: \"INVALID_POINTER_READ_c0000005_atidxx64.dll\". 
 
Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality.) 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4487044, and the block was removed.

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4487044		Resolved:
February 12, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Trend Micro OfficeScan and Worry-Free Business Security AV software not compatible
Upgrade block: Microsoft and Trend Micro have identified a compatibility issue with Trend Micro's OfficeScan and Worry-Free Business Security software when attempting to update to Windows 10, version 1809.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019 
Resolution: Trend Micro has released a new version of these products that resolves the issue. To download them, please visit the Trend Micro Business Support Portal.

Once you have updated your version of Trend Micro's OfficeScan or Worry-Free Business Security software, you will be offered Windows 10, version 1809 automatically. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
Resolved:
February 01, 2019
09:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Shared albums may not sync with iCloud for Windows
Upgrade block: Users who attempt to install iCloud for Windows (version 7.7.0.27) will see a message displayed that this version iCloud for Windows isn't supported and the install will fail.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Windows 10, version 1809 until this issue has been resolved. 

We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool from the Microsoft software download website until this issue is resolved. 
 
Resolution: Apple has released an updated version of iCloud for Windows (version 7.8.1) that resolves compatibility issues encountered when updating or synching Shared Albums after updating to Windows 10, version 1809. We recommend that you update your iCloud for Windows to version 7.8.1 when prompted before attempting to upgrade to Windows 10, version 1809. You can also manually download the latest version of iCloud for Windows by visiting https://support.apple.com/HT204283.

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Microsoft and Intel have identified a compatibility issue with a range of Intel Display Audio device drivers (intcdaud.sys, versions 10.25.0.3 - 10.25.0.8) that may result in excessive processor demand and reduced battery life. As a result, the update process to the Windows 10 October 2018 Update (Windows 10, version 1809) will fail and affected devices will automatically revert to the previous working configuration. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
If you see a \"What needs your attention\" notification during installation of the October 2018 Update, you have one of these affected drivers on your system. On the notification, click Back to remain on your current version of Windows 10. 
 
To ensure a seamless experience, we are blocking devices from being offered the October 2018 Update until updated Intel device drivers are installed on your current operating system. We recommend that you do not attempt to manually update to Windows 10, version 1809, using the Update Now button or the Media Creation Tool from the Microsoft Software Download Center until newer Intel device drivers are available with the update. You can either wait for newer drivers to be installed automatically through Windows Update or check with your computer manufacturer for the latest device driver software availability and installation procedures. For more information about this issue, see Intel's customer support guidance.
 
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
+ + @@ -55,6 +57,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusDate resolved
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019
02:00 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		July 26, 2019
02:00 PM PT
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
July 11, 2019
01:54 PM PT
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
+
DetailsOriginating updateStatusHistory
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
June 28, 2019
05:01 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		Resolved:
June 27, 2019
10:00 AM PT

Opened:
June 12, 2019
11:11 AM PT
" @@ -64,6 +67,7 @@ sections: - type: markdown text: " + diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 31c6e06ec3..4bfa74c40c 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,12 +60,12 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

DetailsOriginating updateStatusHistory
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:54 PM PT

Opened:
May 24, 2019
03:10 PM PT
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:38 AM PT
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:16 AM PT
- + + - @@ -84,7 +84,8 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
August 01, 2019
06:12 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

See details >		OS Build 14393.3085

July 09, 2019
KB4507460		Mitigated
July 26, 2019
04:58 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Mitigated
July 10, 2019
07:09 PM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		July 09, 2019
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		June 27, 2019
02:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Mitigated
April 25, 2019
02:00 PM PT
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

See details >		OS Build 14393.2608

November 13, 2018
KB4467691		Mitigated
February 19, 2019
10:00 AM PT
Cluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Mitigated
April 25, 2019
02:00 PM PT
- + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Workaround: To mitigate this issue, you need to Enable Script Debugging using one of the following ways.

You can configure the below registry key:
Registry setting: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main
Value: Disable Script Debugger
Type: REG_SZ
Data: no

Or you can Enable Script Debugging in Internet Settings. You can open Internet Setting by either typing Internet Settings into the search box on Windows or by selecting Internet Options in Internet Explorer. Once open, select Advanced then Browsing and finally, select Enable Script Debugging.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Mitigated
Last updated:
July 26, 2019
04:58 PM PT

Opened:
July 26, 2019
04:58 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" @@ -95,7 +96,6 @@ sections: text: " -
DetailsOriginating updateStatusHistory
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

Affected platforms:
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507459.

Back to top		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		Resolved:
July 16, 2019
10:00 AM PT

Opened:
June 04, 2019
05:55 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509475.

Back to top		OS Build 14393.2999

May 23, 2019
KB4499177		Resolved
KB4509475		Resolved:
June 27, 2019
02:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
" diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 1055bb156e..4dbe8ada26 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,9 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + -
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
August 01, 2019
06:12 PM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4507450		July 09, 2019
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4509476		June 26, 2019
04:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
" @@ -79,16 +78,7 @@ sections: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
- " - -- title: June 2019 -- items: - - type: markdown - text: " - - +
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509476.

Back to top		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4509476		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 4667f66e88..cee8270547 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,9 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + -
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
August 01, 2019
06:12 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Mitigated
July 10, 2019
07:09 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		June 26, 2019
04:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
" @@ -79,20 +78,11 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" -- title: June 2019 -- items: - - type: markdown - text: " - - -
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509477.

Back to top		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
- " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 166d39fa83..fccb71eca1 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -60,9 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + -
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
August 01, 2019
06:12 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
July 10, 2019
07:09 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4509478		June 26, 2019
04:00 PM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
June 14, 2019
04:41 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
@@ -80,7 +79,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" @@ -90,7 +89,6 @@ sections: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509478.

Back to top		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4509478		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
Last updated:
June 14, 2019
04:41 PM PT

Opened:
June 14, 2019
04:41 PM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index a8d6b78e6b..de3ecd7333 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,9 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + - @@ -85,7 +84,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
August 01, 2019
06:12 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
July 10, 2019
07:09 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4509479		June 26, 2019
04:00 PM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
June 14, 2019
04:41 PM PT
Devices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

See details >		OS Build 17763.437

April 09, 2019
KB4493509		Mitigated
May 03, 2019
10:59 AM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Mitigated
April 09, 2019
10:00 AM PT
- +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" @@ -95,7 +94,6 @@ sections: - type: markdown text: " -
DetailsOriginating updateStatusHistory
Difficulty connecting to some iSCSI-based SANs
Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2019; Windows Server 2016
Resolution: This issue was resolved in KB4509479.

Back to top		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4509479		Resolved:
June 26, 2019
04:00 PM PT

Opened:
June 20, 2019
04:46 PM PT
Startup to a black screen after installing updates
We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
  • Server: Windows Server 2019
Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
Last updated:
June 14, 2019
04:41 PM PT

Opened:
June 14, 2019
04:41 PM PT
" diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index a1ebf8f433..b2ca8f3142 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -22,7 +22,7 @@ sections:
Current status as of July 16, 2019:
-
We are initiating the Windows 10 May 2019 Update for customers with devices that are at or nearing end of service and have not yet updated their device. Keeping these devices both supported and receiving monthly updates is critical to device security and ecosystem health. Based on the large number of devices running the April 2018 Update, that will reach the end of 18 months of service on November 12, 2019, we are starting the update process now for Home and Pro editions to help ensure adequate time for a smooth update process.

Our update rollout process takes into consideration the scale and complexity of the Windows 10 ecosystem, with the many hardware, software, and app configuration options users have, to provide a seamless update experience for all users. We closely monitor update feedback to allow us to prioritize those devices likely to have a good update experience and quickly put safeguards on other devices while we address known issues. Windows 10 Home and Pro edition users will have the ability to pause the update for up to 35 days so they can choose a convenient time.

The Windows 10 May 2019 Update is available for any user who manually selects “Check for updates” via Windows Update on a device that does not have a safeguard hold for issues already detected. If you are not offered the update, please check below for any known issues that may affect your device.

We recommend commercial customers running earlier versions of Windows 10 begin targeted deployments of Windows 10, version 1903 to validate that the apps, devices, and infrastructure used by their organizations work as expected with the new release and features.

Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.
+
We are initiating the Windows 10 May 2019 Update for customers with devices that are at or nearing end of service and have not yet updated their device. Keeping these devices both supported and receiving monthly updates is critical to device security and ecosystem health. Based on the large number of devices running the April 2018 Update, that will reach the end of 18 months of service on November 12, 2019, we are starting the update process now for Home and Pro editions to help ensure adequate time for a smooth update process.

Our update rollout process takes into consideration the scale and complexity of the Windows 10 ecosystem, with the many hardware, software, and app configuration options users have, to provide a seamless update experience for all users. We closely monitor update feedback to allow us to prioritize those devices likely to have a good update experience and quickly put safeguards on other devices while we address known issues. Windows 10 Home and Pro edition users will have the ability to pause the update for up to 35 days so they can choose a convenient time.

The Windows 10 May 2019 Update is available for any user who manually selects “Check for updates” via Windows Update on a device that does not have a safeguard hold for issues already detected. If you are not offered the update, please check below for any known issues that may affect your device.

We recommend commercial customers running earlier versions of Windows 10 begin targeted deployments of Windows 10, version 1903 to validate that the apps, devices, and infrastructure used by their organizations work as expected with the new release and features.

Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.
" @@ -65,23 +65,22 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + + + + + + - - - - -
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
July 25, 2019
06:10 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
July 25, 2019
06:10 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
August 01, 2019
08:44 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
August 01, 2019
06:27 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 01, 2019
06:12 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
August 01, 2019
05:58 PM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019
02:00 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		July 26, 2019
02:00 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
July 16, 2019
09:04 AM PT
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
July 12, 2019
04:42 PM PT
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
July 11, 2019
01:54 PM PT
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Mitigated
July 10, 2019
07:09 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated
July 01, 2019
05:04 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		June 27, 2019
10:00 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Investigating
June 10, 2019
06:06 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 24, 2019
11:02 AM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019
04:48 PM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Investigating
May 21, 2019
04:47 PM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019
04:47 PM PT
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019
04:47 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019
04:46 PM PT
" @@ -97,8 +96,8 @@ sections: - type: markdown text: " - - + + @@ -110,8 +109,7 @@ sections: - type: markdown text: "
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms may not start up
Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST driver version between 15.1.0.1002 and 15.5.2.1053 installed from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.6.1044.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
Last updated:
July 25, 2019
06:10 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 01, 2019
06:12 PM PT

Opened:
July 25, 2019
06:10 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.6.1044.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: To resolve this issue, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for the May 2019 Update. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
Last updated:
August 01, 2019
05:58 PM PT

Opened:
July 25, 2019
06:10 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.

To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 16, 2019
09:04 AM PT

Opened:
July 12, 2019
04:20 PM PT
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 12, 2019
04:42 PM PT

Opened:
July 12, 2019
04:42 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
- - +
DetailsOriginating updateStatusHistory
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Workaround: To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:

Set the value for the following group policy settings:
  1. Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry
  2. Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)

Or set the following registry value:

SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection

Setting: AllowTelemetry

Type: REG_DWORD

Value: 1, 2 or 3


Note If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.

Next Steps: We are working on a resolution and estimate a solution will be available in late July.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated
Last updated:
July 01, 2019
05:04 PM PT

Opened:
June 28, 2019
05:01 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4501375.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved
KB4501375		Resolved:
June 27, 2019
10:00 AM PT

Opened:
June 12, 2019
11:11 AM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

Affected platforms
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
June 28, 2019
05:01 PM PT
" @@ -120,15 +118,15 @@ sections: - type: markdown text: " + + + - - -
DetailsOriginating updateStatusHistory
Intermittent loss of Wi-Fi connectivity
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
 
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
Last updated:
August 01, 2019
08:44 PM PT

Opened:
May 21, 2019
07:13 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
August 01, 2019
06:27 PM PT

Opened:
May 21, 2019
07:28 AM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:54 PM PT

Opened:
May 24, 2019
03:10 PM PT
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:38 AM PT
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:16 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Investigating
Last updated:
June 10, 2019
06:06 PM PT

Opened:
May 24, 2019
04:20 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios where night light settings may stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 24, 2019
11:02 AM PT

Opened:
May 21, 2019
07:28 AM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.

  • For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
  • For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.  


Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:48 PM PT

Opened:
May 21, 2019
07:29 AM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Restart your device to apply changes to brightness.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution that will be made available in upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Investigating
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:56 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

Note We recommend you do not attempt to update your devices until newer device drivers are installed.

Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:22 AM PT
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

\"Close other apps, error code: 0XA00F4243.”


To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:

  • Unplug your camera and plug it back in.

or

  • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

or

  • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
Note This workaround will only resolve the issue until your next system restart.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:20 AM PT
Intermittent loss of Wi-Fi connectivity
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM).
 
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:46 PM PT

Opened:
May 21, 2019
07:13 AM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 9d2980d85a..c7a8b5e2d7 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -49,12 +49,14 @@ sections: - type: markdown text: " - - + + + + - - + + diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2fc0996eb0..73c0ca23ab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -79,7 +79,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ 2. Click **Login** and provide Azure credentials -3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory. Click **Go** +3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) @@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1df71e5f3d..433457239a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -196,10 +196,19 @@ In a federated Azure AD configuration, devices rely on Active Directory Federati Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. +When you're using AD FS, you need to enable the following WS-Trust endpoints: +`/adfs/services/trust/2005/windowstransport` +`/adfs/services/trust/13/windowstransport` +`/adfs/services/trust/2005/usernamemixed` +`/adfs/services/trust/13/usernamemixed` +`/adfs/services/trust/2005/certificatemixed` +`/adfs/services/trust/13/certificatemixed` + +> [!WARNING] +> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. + > [!NOTE] -> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. -> -> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). +>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c3243e4a9c..08a7fe11e3 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -52,6 +52,7 @@ ##### [Investigate machines](microsoft-defender-atp/investigate-machines.md) ##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) ##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) +###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) ##### [Investigate a user account](microsoft-defender-atp/investigate-user.md) #### [Machines list]() @@ -104,7 +105,20 @@ ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md) #### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md) -##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md) + +##### [Advanced hunting schema reference]() +###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md) +###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md) +###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md) +###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md) +###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md) +###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md) +###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md) +###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md) +###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) +###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) +###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md) + ##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) #### [Custom detections]() @@ -129,7 +143,7 @@ ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) - +### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) ## [Get started]() ### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) @@ -140,6 +154,9 @@ ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md) + + + ### [Evaluate Microsoft Defender ATP]() #### [Attack surface reduction and next-generation capability evaluation]() ##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md) @@ -232,7 +249,7 @@ ##### [Manage updates and apply baselines]() ###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) +###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) ###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) ###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) ###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index a3d281ec8b..d72c39898d 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -38,7 +38,9 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** + + 6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: - **This folder only** @@ -47,7 +49,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and files** - **Subfolders and files only** - **Subfolders only** - - **Files only** + - **Files only** 7. By default, the selected **Basic Permissions** to audit are the following: - **Read and execute** diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index d85f33b6b5..05cbed96aa 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -67,7 +67,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) - [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) -- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) +- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md new file mode 100644 index 0000000000..9544001b7c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -0,0 +1,54 @@ +--- +title: AlertEvents table in the advanced hunting schema +description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# AlertEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| AlertId | string | Unique identifier for the alert | +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | +| Category | string | Type of threat indicator or breach activity identified by the alert | +| Title | string | Title of the alert | +| FileName | string | Name of the file that the recorded action was applied to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| RemoteIP | string | IP address that was being connected to | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| Table | string | Table that contains the details of the event | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md new file mode 100644 index 0000000000..a82f47f963 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md @@ -0,0 +1,73 @@ +--- +title: FileCreationEvents table in the Advanced hunting schema +description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# FileCreationEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| FileName | string | Name of the file that the recorded action was applied to | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| FileOriginUrl | string | URL where the file was downloaded from | +| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | +| FileOriginIP | string | IP address where the file was downloaded from | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | +| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | +| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md new file mode 100644 index 0000000000..d7e0521472 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md @@ -0,0 +1,66 @@ +--- +title: ImageLoadEvents table in the Advanced hunting schema +description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# ImageLoadEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| FileName | string | Name of the file that the recorded action was applied to | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md new file mode 100644 index 0000000000..1e8a0cfcc7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md @@ -0,0 +1,74 @@ +--- +title: LogonEvents table in the Advanced hunting schema +description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# LogonEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string |Type of activity that triggered the event | +| AccountDomain | string | Domain of the account | +| AccountName | string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| +| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| RemoteIP | string | IP address that was being connected to | +| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| RemotePort | int | TCP port on the remote device that was being connected to | +| AdditionalFields | string | Additional information about the event in JSON array format | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md new file mode 100644 index 0000000000..fa58a67cdd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md @@ -0,0 +1,55 @@ +--- +title: MachineInfo table in the Advanced hunting schema +description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# MachineInfo + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ClientVersion | string | Version of the endpoint agent or sensor running on the machine | +| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | +| OSArchitecture | string | Architecture of the operating system running on the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | +| OSBuild | string | Build version of the operating system running on the machine | +| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | +| RegistryMachineTag | string | Machine tag added through the registry | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| OSVersion | string | Version of the operating system running on the machine | +| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md new file mode 100644 index 0000000000..3ec3dfd8f2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md @@ -0,0 +1,56 @@ +--- +title: MachineNetworkInfo table in the Advanced hunting schema +description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# MachineNetworkInfo + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| NetworkAdapterName | string | Name of the network adapter | +| MacAddress | string | MAC address of the network adapter | +| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | +| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) | +| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | +| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | +| DnsAddresses | string | DNS server addresses in JSON array format | +| IPv4Dhcp | string | IPv4 address of DHCP server | +| IPv6Dhcp | string | IPv6 address of DHCP server | +| DefaultGateways | string | Default gateway addresses in JSON array format | +| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md new file mode 100644 index 0000000000..01c38628be --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md @@ -0,0 +1,87 @@ +--- +title: MiscEvents table in the advanced hunting schema +description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# MiscEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| FileName | string | Name of the file that the recorded action was applied to | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| AccountDomain | string | Domain of the account | +| AccountName |string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| ProcessId | int | Process ID (PID) of the newly created process | +| ProcessCommandLine | string | Command line used to create the new process | +| ProcessCreationTime | datetime | Date and time the process was created | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| RegistryKey | string | Registry key that the recorded action was applied to | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to | +| RemoteIP | string | IP address that was being connected to | +| RemotePort | int | TCP port on the remote device that was being connected to | +| LocalIP | string | IP address assigned to the local machine used during communication | +| LocalPort | int | TCP port on the local machine used during communication | +| FileOriginUrl | string | URL where the file was downloaded from | +| FileOriginIP | string | IP address where the file was downloaded from | +| AdditionalFields | string | Additional information about the event in JSON array format | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md new file mode 100644 index 0000000000..fb18d453d7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md @@ -0,0 +1,70 @@ +--- +title: NetworkCommunicationEvents table in the Advanced hunting schema +description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# NetworkCommunicationEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| RemoteIP | string | IP address that was being connected to | +| RemotePort | int | TCP port on the remote device that was being connected to | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| LocalIP | string | IP address assigned to the local machine used during communication | +| LocalPort | int | TCP port on the local machine used during communication | +| Protocol | string | IP protocol used, whether TCP or UDP | +| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md new file mode 100644 index 0000000000..d6ef50a878 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md @@ -0,0 +1,78 @@ +--- +title: ProcessCreationEvents table in the Advanced hunting schema +description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# ProcessCreationEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| FileName | string | Name of the file that the recorded action was applied to | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| ProcessId | int | Process ID (PID) of the newly created process | +| ProcessCommandLine | string | Command line used to create the new process | +| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| ProcessCreationTime | datetime | Date and time the process was created | +| AccountDomain | string | Domain of the account | +| AccountName | string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md index 0233da71e9..40810a2f12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md @@ -1,6 +1,6 @@ --- -title: Advanced hunting reference in Microsoft Defender ATP -description: Learn about Advanced hunting table reference such as column name, data type, and description +title: Advanced hunting schema reference +description: Learn about the tables in the advanced hunting schema keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 06/01/2018 +ms.date: 07/24/2019 --- # Advanced hunting reference in Microsoft Defender ATP @@ -26,101 +26,28 @@ ms.date: 06/01/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -## Advanced hunting column reference -To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen. +## Advanced hunting table reference -| Column name | Data type | Description -:---|:--- |:--- -| AccountDomain | string | Domain of the account | -| AccountName | string | User name of the account | -| AccountSid | string | Security Identifier (SID) of the account | -| ActionType | string | Type of activity that triggered the event | -| AdditionalFields | string | Additional information about the event in JSON array format | -| AlertId | string | Unique identifier for the alert | -| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | -| Category | string | Type of threat indicator or breach activity identified by the alert | -| ClientVersion | string | Version of the endpoint agent or sensor running on the machine | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine | -| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | -| DefaultGateways | string | Default gateway addresses in JSON array format | -| DnsAddresses | string | DNS server addresses in JSON array format | -| EventTime | datetime | Date and time when the event was recorded | -| FileName | string | Name of the file that the recorded action was applied to | -| FileOriginIp | string | IP address where the file was downloaded from | -| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | -| FileOriginUrl | string | URL where the file was downloaded from | -| FolderPath | string | Folder containing the file that the recorded action was applied to | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | -| InitiatingProcessFileName | string | Name of the process that initiated the event | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | -| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | -| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | -| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | -| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | -| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local | -| Ipv4Dhcp | string | IPv4 address of DHCP server | -| Ipv6Dhcp | string | IPv6 address of DHCP server | -| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | -| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection | -| LocalIP | string | IP address assigned to the local machine used during communication | -| LocalPort | int | TCP port on the local machine used during communication | -| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | -| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. | -| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
-| MacAddress | string | MAC address of the network adapter | -| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | -| MachineId | string | Unique identifier for the machine in the service | -| MD5 | string | MD5 hash of the file that the recorded action was applied to | -| NetworkAdapterName | string | Name of the network adapter | -| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | -| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | -| OSArchitecture | string | Architecture of the operating system running on the machine | -| OSBuild | string | Build version of the operating system running on the machine | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| OsVersion | string | Version of the operating system running on the machine | -| PreviousRegistryKey | string | Original registry key of the registry value before it was modified | -| PreviousRegistryValueData | string | Original data of the registry value before it was modified | -| PreviousRegistryValueName | string | Original name of the registry value before it was modified | -| PreviousRegistryValueType | string | Original data type of the registry value before it was modified | -| ProcessCommandline | string | Command line used to create the new process | -| ProcessCreationTime | datetime | Date and time the process was created | -| ProcessId | int | Process ID (PID) of the newly created process | -| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| Protocol | string | IP protocol used, whether TCP or UDP | -| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | -| RegistryKey | string | Registry key that the recorded action was applied to | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to | -| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | -| RemoteIP | string | IP address that was being connected to | -| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | -| RemotePort | int | TCP port on the remote device that was being connected to | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | -| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | -| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | -| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection | -| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | -| RegistryMachineTag | string | Machine tag added through the registry | -| Table | string | Table that contains the details of the event | -| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | +The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) +The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table. + +Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen. + +| Table name | Description | +|------------|-------------| +| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center | +| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information | +| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | +| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events | +| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events | +| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events | +| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries | +| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | +| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | +| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | ## Related topics + - [Query data using Advanced hunting](advanced-hunting.md) -- [Advanced hunting query language best practices](advanced-hunting-best-practices.md) \ No newline at end of file +- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md new file mode 100644 index 0000000000..75b7b12ee6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md @@ -0,0 +1,68 @@ +--- +title: RegistryEvents table in the Advanced hunting schema +description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions +keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 07/24/2019 +--- + +# RegistryEvents + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| EventTime | datetime | Date and time when the event was recorded | +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| ActionType | string | Type of activity that triggered the event | +| RegistryKey | string | Registry key that the recorded action was applied to | +| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to | +| PreviousRegistryValueName | string | Original name of the registry value before it was modified | +| PreviousRegistryValueData | string | Original data of the registry value before it was modified | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md new file mode 100644 index 0000000000..dfff630e9d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md @@ -0,0 +1,96 @@ +--- +title: Microsoft Defender ATP for US Government GCC High customers +description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers +keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender ATP for US Government GCC High customers + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial. + +This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. + + +## Endpoint versions +The following OS versions are supported: + +- Windows 10, version 1903 +- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) +- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) +- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) +- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) + +>[!NOTE] +>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment. + +The following OS versions are not supported: +- Windows Server 2008 R2 SP1 +- Windows Server 2012 R2 +- Windows Server 2016 +- Windows Server, version 1803 +- Windows 7 SP1 Enterprise +- Windows 7 SP1 Pro +- Windows 8 Pro +- Windows 8.1 Enterprise +- macOS + +The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019: + +## Threat & Vulnerability Management +Not currently available. + + +## Automated investigation and remediation +The following capabilities are not currently available: +- Response to Office 365 alerts +- Live response + + + +## Management and APIs +The following capabilities are not currently available: + +- Threat protection report +- Machine health and compliance report +- Integration with third-party products + + +## Integrations +Integrations with the following Microsoft products are not currently available: +- Azure Security Center +- Azure Advanced Threat Protection +- Azure Information Protection +- Office 365 Advanced Threat Protection +- Microsoft Cloud App Security +- Skype for Business +- Microsoft Intune (sharing of device information and enhanced policy enforcement) + +## Microsoft Threat Experts +Not currently available. + +## Required connectivity settings +You'll need to ensure that traffic from the following are allowed: + +Service location | DNS record +:---|:--- +Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com``` +Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
```winatp-gw-usgt.microsoft.com```
```winatp-gw-usgv.microsoft.com```
```*.blob.core.usgovcloudapi.net``` + + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index d6b0b6bed5..785daef982 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -22,8 +22,6 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) [Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 5c01117055..4640790859 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -22,14 +22,13 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. ->[!NOTE] ->Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). +Before you can track and manage onboarding of machines: +- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management) +- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Discover and track unprotected machines @@ -39,8 +38,7 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b *Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine* >[!NOTE] ->- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines. ->- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. +>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines. ## Onboard more machines with Intune profiles @@ -66,10 +64,10 @@ From the overview, create a configuration profile specifically for the deploymen 3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune. ![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)
- *Assigning the new agent profile to all machines* + *Assigning the new profile to all machines* >[!TIP] ->To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign). +>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index 9ef47de4a4..5c04c5d86d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -22,16 +22,15 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection. To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). ->[!NOTE] ->Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). +Before you can deploy and track compliance to security baselines: +- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management) +- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: @@ -44,17 +43,6 @@ Both baselines are maintained so that they complement one another and have ident >[!NOTE] >The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. -## Get permissions to manage security baselines in Intune - -By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create and assign a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with: - -* Read permissions to the organization -* Full permissions to security baselines - -![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png) - -*Security baseline permissions on Intune* - ## Monitor compliance to the Microsoft Defender ATP security baseline The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline. @@ -71,10 +59,8 @@ Each machine is given one of the following status types: To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines. ->[!NOTE] ->During preview, you might encounter a few known limitations: ->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. ->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. +>[!NOTE] +>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. ## Review and assign the Microsoft Defender ATP security baseline @@ -83,7 +69,7 @@ Machine configuration management monitors baseline compliance only of Windows 10 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed. >[!TIP] - > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**. + > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. 2. Create a new profile. @@ -101,10 +87,10 @@ Machine configuration management monitors baseline compliance only of Windows 10 ![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)
*Assigning the security baseline profile on Intune* -5. Save the profile and deploy it to the assigned machine group. +5. Create the profile to save it and deploy it to the assigned machine group. ![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)
- *Saving and deploying the security baseline profile on Intune* + *Creating the security baseline profile on Intune* >[!TIP] >Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 05869b764d..11f16e8b9f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -22,8 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines: @@ -47,7 +45,7 @@ In doing so, you benefit from: Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines. -Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll). +Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll). >[!NOTE] >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). @@ -55,12 +53,21 @@ Before you can ensure your machines are configured properly, enroll them to Intu >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). -## Known issues and limitations in this preview -During preview, you might encounter a few known limitations: -- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. -- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines. -- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. +## Obtain required permissions +By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline. +If you have been assigned other roles, ensure you have the necessary permissions: + +- Full permissions to device configurations +- Full permissions to security baselines +- Read permissions to device compliance policies +- Read permissions to the organization + +![Required permissions on intune](images/secconmgmt_intune_permissions.png)
+*Device configuration permissions on Intune* + +>[!TIP] +>To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role). ## In this section Topic | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index d12bc037b7..6f600470d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,6 +1,8 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP + +description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP + keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -21,9 +23,11 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) + [!include[Prerelease information](prerelease.md)] @@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu > - MSSP customers: Organizations that engage the services of MSSPs. The integration will allow MSSPs to take the following actions: -- Get access to MSSP customer's Microsoft Defender Security Center portal + +- Get access to MSSP customer's Windows Defender Security Center portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. + Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. In general, the following configuration steps need to be taken: -- **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. + +- **Grant the MSSP access to Windows Defender Security Center**
+This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. + - **Configure alert notifications sent to MSSPs**
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer. @@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. ## Grant the MSSP access to the portal ->[!NOTE] + +>[!NOTE] > These set of steps are directed towards the MSSP customer.
> Access to the portal can only be done by the MSSP customer. -As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center. +As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. + Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. You'll need to take the following 2 steps: - Add MSSP user to your tenant as a guest user -- Grant MSSP user access to Microsoft Defender Security Center + +- Grant MSSP user access to Windows Defender Security Center + ### Add MSSP user to your tenant as a guest user Add a user who is a member of the MSSP tenant to your tenant as a guest user. To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator). - -### Grant MSSP user access to Microsoft Defender Security Center -Grant the guest user access and permissions to your Microsoft Defender Security Center tenant. + +### Grant MSSP user access to Windows Defender Security Center +Grant the guest user access and permissions to your Windows Defender Security Center tenant. Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. -If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md). +If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md). -If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md). +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md). + >[!NOTE] >There is no difference between the Member user and Guest user roles from RBAC perspective. @@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Microsoft Defender Security Center MSSP customer portal + +## Access the Windows Defender Security Center MSSP customer portal ->[!NOTE] +>[!NOTE] >These set of steps are directed towards the MSSP. -By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. +By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`. + MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. @@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met. -For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications). + +For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications). + These check boxes must be checked: - **Include organization name** - The customer name will be added to email notifications @@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps: Step 1: Create a third-party application Step 2: Get access and refresh tokens from your customer's tenant - -Step 3: Whitelist your application on Microsoft Defender Security Center + +Step 3: Whitelist your application on Windows Defender Security Center + ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant. + +You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant. + 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). 2. Select **Azure Active Directory** > **App registrations**. -3. Click **New application registration**. + +3. Click **New registration**. + 4. Specify the following values: - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name) - - Application type: Web app / API - - Sign-on URL: `https://SiemMsspConnector` + + - Supported account types: Account in this organizational directory only + - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name) -5. Click **Create**. The application is displayed in the list of applications you own. +5. Click **Register**. The application is displayed in the list of applications you own. -6. Select the application, then click **Settings** > **Properties**. +6. Select the application, then click **Overview**. -7. Copy the value from the **Application ID** field. +7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step. -8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name. +8. Select **Certificate & secrets** in the new application panel. -9. Ensure that the **Multi-tenanted** field is set to **Yes**. +9. Click **New client secret**. -10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. - -11. Click **Save**. - -12. Select **Keys** and specify the following values: - Description: Enter a description for the key. - Expires: Select **In 1 year** -13. Click **Save**. Save the value is a safe place, you'll need this + +10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step. + ### Step 2: Get access and refresh tokens from your customer's tenant This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. @@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio `Set-ExecutionPolicy -ExecutionPolicy Bypass` 6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId ` - - - Replace \ with the Application ID you got from the previous step. - - Replace \ with the application key you created from the previous step. - - Replace \ with your customer's tenant ID. + + - Replace \ with the **Application (client) ID** you got from the previous step. + - Replace \ with the **Client Secret** you created from the previous step. + - Replace \ with your customer's **Tenant ID**. + 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. -### Step 3: Whitelist your application on Microsoft Defender Security Center -You'll need to whitelist the application you created in Microsoft Defender Security Center. + +### Step 3: Whitelist your application on Windows Defender Security Center +You'll need to whitelist the application you created in Windows Defender Security Center. + You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you. @@ -272,17 +295,21 @@ You'll need to have **Manage portal system settings** permission to whitelist th 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). + +You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). + - In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs -For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). + +For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). ## Related topics -- [Use basic permissions to access the portal](basic-permissions.md) -- [Manage portal access using RBAC](rbac.md) -- [Pull alerts to your SIEM tools](configure-siem.md) -- [Pull alerts using REST API](pull-alerts-using-rest-api.md) +- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) +- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) +- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) +- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 84bd3f8d8a..dba3eaf576 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. -The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: +>[!TIP] +>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md). + +The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - Auto-discovery methods: - Transparent proxy @@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Registry based configuration - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) + + ## Configure the proxy server manually using a registry-based static proxy Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. @@ -175,56 +180,6 @@ However, if the connectivity check results indicate a failure, an HTTP error is > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. -## Conduct investigations with Microsoft Defender ATP behind a proxy -Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet. -The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor. -By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names.

- -**Investigation Impact**
-In machine's timeline the IP address will keep representing the proxy, while the real target address shows up. -![Image of network events on machine's timeline](images/atp-proxy-investigation.png)
- -Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy.
-Event's information: -![Image of single network event](images/atp-proxy-investigation-event.png)
- -**Advanced Hunting**
-All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.
-Using this simple query will show you all the relevant events: - -``` -NetworkCommunicationEvents -| where ActionType == "ConnectionSuccess" -| take 10 -``` -![Image of advanced hunting query](images/atp-proxy-investigation-ah.png) - -You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy: -``` -NetworkCommunicationEvents -| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" -| take 10 -``` - -**How to enable the advanced network connection sensor**
-Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machine’s timeline you need to turn Network Protection on at least in audit mode.
- -Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit.
-If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
- -If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
- -If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
- -If you do not configure this policy, network blocking will be disabled by default.

- -> [!NOTE] -> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode. - -Additional documentation: -- [Applying network protection with GP – policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) -- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) - ## Related topics - [Onboard Windows 10 machines](configure-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 2547032022..b9c6aceba6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -139,13 +139,18 @@ Agent Resource | Ports ## Windows Server, version 1803 and Windows Server 2019 To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. +>[!NOTE] +>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.comsccm/apps/deploy-use/packages-and-programs). + Supported tools include: - Local script - Group Policy - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 - VDI onboarding scripts for non-persistent machines - For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +For more information, see [Onboard Windows 10 machines](configure-endpoints.md). + +Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). @@ -162,7 +167,7 @@ Supported tools include: c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index c100b9ddf2..f4a2b266d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. -recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**. eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. reportId | String | The reportId, as obtained from the advanced query. **Required**. category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index a5e5371afb..2ad4f2c528 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -49,7 +49,7 @@ The Microsoft Defender ATP service utilizes state of the art data protection tec There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). -In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. +In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. ## Do I have the flexibility to select where to store my data? @@ -80,7 +80,7 @@ No. Customer data is isolated from other customers and is not shared. However, i You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
-Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. +Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index cbeed1d1ea..9b2eecd333 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -20,6 +20,8 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!include[Prerelease information](prerelease.md)] + Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can @@ -63,6 +65,9 @@ The machine will automatically be onboarded to your tenant with the recommended Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). +>[!NOTE] +>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. + 1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**. @@ -72,7 +77,7 @@ Automated investigation settings will be dependent on tenant settings. It will b 3. Select **Add machine**. - >[!NOTE] + >[!WARNING] > The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation. ![Image of add machine](images/evaluation-add-machine.png) @@ -89,6 +94,7 @@ Automated investigation settings will be dependent on tenant settings. It will b The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation. + ![Image of test machines](images/eval-lab-dashboard.png) ## Simulate attack scenarios @@ -98,6 +104,9 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. +>[!NOTE] +>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. + 1. Connect to your machine and run an attack simulation by selecting **Connect**. ![Image of the connect button for test machines](images/test-machine-table.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png index 890817a70b..62c89ddbc4 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png index f30feb9983..94195f3a46 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png index be66344ea0..a540d9947a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png index f8147866f5..78c605fd6d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index a6b401f564..4b1576ec23 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png index 8f88c5899e..0e1f7069f5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png index 2955624a72..93111cb58b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png deleted file mode 100644 index c97ef90085..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png new file mode 100644 index 0000000000..c40ac907c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png index 097725199f..1f46df00ee 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png index 7a14844ecd..257048acb1 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png index 1a2f78c4ea..858e304bb5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md index 507fe16a4d..12be9cd0ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md @@ -23,6 +23,8 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!include[Prerelease information](prerelease.md)] + Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. >[!TIP] diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md new file mode 100644 index 0000000000..18d267c4cd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -0,0 +1,89 @@ +--- +title: Investigate connection events that occur behind forward proxies +description: Investigate connection events that occur behind forward proxies +keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Investigate connection events that occur behind forward proxies + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) + +Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet. + +The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. + +Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names. + +## Use network protection to monitor network connection behind a firewall +Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode). + +Network protection can be controlled using the following modes: + +- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center. +- **Audit**
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center. + + +If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center. + +If you do not configure it, network blocking will be turned off by default. + +For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection). + +## Investigation impact +When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up. + +![Image of network events on machine's timeline](images/atp-proxy-investigation.png) + +Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. + +Event's information: + +![Image of single network event](images/atp-proxy-investigation-event.png) + + + +## Hunt for connection events using advanced hunting +All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type. + +Using this simple query will show you all the relevant events: + +``` +NetworkCommunicationEvents +| where ActionType == "ConnectionSuccess" +| take 10 +``` + +![Image of advanced hunting query](images/atp-proxy-investigation-ah.png) + +You can also filter out events that are related to connection to the proxy itself. + +Use the following query to filter out the connections to the proxy: + +``` +NetworkCommunicationEvents +| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP" +| take 10 +``` + + + +## Related topics +- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) +- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index f28db7412f..05c4e3ae79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -33,8 +33,8 @@ Topic | Description [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. -Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. -Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. +[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. +[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index 67f7f8a2ee..321211dc7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -46,7 +46,7 @@ The Microsoft secure score tile is reflective of the sum of all the Microsoft De Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). -The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). +The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess). In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 354e205f5a..a18bcddf2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -44,6 +44,7 @@ The following features are included in the preview release: - [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. + - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1. - [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 40d68b1cc3..727eb7097a 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -20,7 +20,7 @@ ms.date: 07/13/2017 # Increase scheduling priority **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting. @@ -45,7 +45,7 @@ Constant: SeIncreaseBasePriorityPrivilege ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment -  + ## Policy management This section describes features, tools, and guidance to help you manage this policy. @@ -81,7 +81,12 @@ Verify that only Administrators and Window Manager/Window Manager Group have the None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration. +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + ## Related topics - [User Rights Assignment](user-rights-assignment.md) -- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) +- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 6d9853ffb9..805f9c697f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Apply Windows Defender Antivirus updates after certain events -description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports. +description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -32,7 +32,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**. +2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. 3. Click **OK**. @@ -99,9 +99,9 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**. -5. Double-click **Initiate definition update on startup** and set the option to **Enabled**. +5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**. 6. Click **OK**. @@ -143,7 +143,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 3. Click **Policies** then **Administrative templates**. 4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: - 1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. + 1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 4ef46be432..ca75fa1e6f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -36,10 +36,10 @@ If Windows Defender Antivirus did not download protection updates for a specifie 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Definition updates** section and configure the following settings: +2. Go to the **Security intelligence updates** section and configure the following settings: - 1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. - 2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + 1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. + 2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). 3. Click **OK**. @@ -55,7 +55,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. -5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. +5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. 6. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 48167c31af..146b92de6f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -37,13 +37,13 @@ You can also randomize the times when each endpoint checks and downloads protect 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) -2. Go to the **Definition updates** section. +2. Go to the **Security intelligence updates** section. 3. To check and download updates at a certain time: - 1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**. - 2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked. + 1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**. + 2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked. 3 -4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates. +4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates. 5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). @@ -60,9 +60,9 @@ You can also randomize the times when each endpoint checks and downloads protect 5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: - 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. - 3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. + 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. + 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index a76cb6ae4a..ee825e3d08 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -93,7 +93,7 @@ The procedures in this article first describe how to set the order, and then how 4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings: - 1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**. + 1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**. 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot. @@ -101,7 +101,7 @@ The procedures in this article first describe how to set the order, and then how 3. Click **OK**. This will set the order of protection update sources. - 4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**. + 4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**. 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index 342cc01fe5..179c55aac4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -56,7 +56,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. -6. Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. **Use a VBScript to opt-in to Microsoft Update** @@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. -**Use Group Policy to prevent definition updates on battery power:** +**Use Group Policy to prevent security intelligence updates on battery power:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -85,7 +85,7 @@ You can configure Windows Defender Antivirus to only download protection updates 5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting: - 1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**. + 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 8d774b3037..a39cf22ad8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Do a quick scan |`mdatp --scan --quick` | |Protection |Do a full scan |`mdatp --scan --full` | |Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | -|Protection |Request a definition update |`mdatp --definition-update` | +|Protection |Request a security intelligence update |`mdatp --definition-update` | ## Microsoft Defender ATP portal information diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 52e8586de1..a371aaca96 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -1487,7 +1487,7 @@ Symbolic name: Message: @@ -1498,12 +1498,12 @@ Description:
MessageDate
Status update: Windows 10, version 1903 “D” release
The optional monthly “D” release for Windows 10, version 1903 will be available in the near term. Follow @WindowsUpdate for the latest on the availability of this release.
July 24, 2019
12:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019
10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
August 01, 2019
02:00 PM PT
Status update: Windows 10, version 1903 “D” release now available
The optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
July 26, 2019
02:00 PM PT
Plan for change: Microsoft Silverlight will reach end of support on October 12, 2021
After this date, Silverlight will not receive any future quality or security updates. Microsoft will continue to ship updates to the Silverlight 5 Developer Runtime for supported browsers and versions (Internet Explorer 10 and Internet Explorer 11); however, please note that support for Internet Explorer 10 will end on 31 January 2020. See the Silverlight end of support FAQ for more details.
July 19, 2019
12:00 AM PT
Evolving Windows 10 servicing and quality
Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the Windows IT Pro Blog for more details on how to plan for this new update option in your environment.
July 01, 2019
02:00 PM PT
Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.
June 18, 2019
02:00 PM PT
Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
June 06, 2019
06:00 PM PT
Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier
We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.
June 18, 2019
02:00 PM PT
Windows 10, version 1903 available by selecting “Check for updates”
Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.
June 06, 2019
06:00 PM PT
Windows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.		May 21, 2019
10:00 AM PT
What’s new in Windows Update for Business
We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. 		May 21, 2019
10:00 AM PT
What’s new for businesses and IT pros in Windows 10
Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. 		May 21, 2019
10:00 AM PT
-The antimalware definition update failed. +The security intelligence update failed.
Windows Defender Antivirus has encountered an error trying to update signatures.
-
New Signature Version: <New version number>
-
Previous Signature Version: <Previous signature version>
+
New security intelligence version: <New version number>
+
Previous security intelligence version: <Previous version>
Update Source: <Update source>, for example:
    -
  • Signature update folder
    • -
  • Internal definition update server
    • +
  • Security intelligence update folder
    • +
  • Internal security intelligence update server
  • Microsoft Update Server
  • File share
  • Microsoft Malware Protection Center (MMPC)
    • diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index 10f61826d3..b7114cd1fd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -124,20 +124,20 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) -Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) -Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) +Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) -Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) -Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) -Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) +Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 35d9a97b4f..6333dad0ae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -85,7 +85,7 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. -**Review the definition update version and download the latest updates in the Windows Security app** +**Review the security intelligence update version and download the latest updates in the Windows Security app** 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md index 105f6a46bb..babbce2e0b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md @@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - One or the other, not both at the same time - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - - Examples: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... +- Supported Macros: + - %WINDIR%\\... + - %SYSTEM32%\\... + - %OSDRIVE%\\... - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 1ecc5091b9..6f92fd0056 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: dansimp +audience: ITPro ms.date: 04/09/2019 ms.reviewer: manager: dansimp @@ -149,6 +150,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + + + + + @@ -885,6 +891,10 @@ Pick the correct version of each .dll for the Windows release you plan to suppor + + + + @@ -1499,6 +1509,5 @@ Pick the correct version of each .dll for the Windows release you plan to suppor 0 - - ``` +```
    diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index fb335353dc..c129bb0353 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -29,11 +29,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Net >You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. -| Policy name | Supported versions | Description | -|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. | -| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | -| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. | + +|Policy name|Supported versions|Description| +|-----------|------------------|-----------| +|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". | +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| + ## Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 3f889598d3..dc6820bd94 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -19,29 +19,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements - + +See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. >[!NOTE] >Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. -### Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. -|Hardware|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

    **-AND-**

    One of the following virtualization extensions for VBS:

    VT-x (Intel)

    **-OR-**

    AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| - -### Software requirements -Your environment needs the following software to run Windows Defender Application Guard. - -|Software|Description| -|--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
    Windows 10 Professional edition, version 1803| -|Browser|Microsoft Edge and Internet Explorer| -|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| ## Prepare for Windows Defender Application Guard diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 3029df4d23..7aa48ea40e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -11,8 +11,9 @@ ms.pagetype: security ms.localizationpriority: medium author: levinec ms.author: ellevin -ms.date: 11/29/2018 -ms.reviewer: +audience: ITPro +ms.date: 08/05/2019 +ms.reviewer: v-maave manager: dansimp --- @@ -22,14 +23,17 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. +Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders. -This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. +Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. -A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. + +Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. + +With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. @@ -43,13 +47,13 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time ## Review controlled folder access events in the Microsoft Defender ATP Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. -Here is an example query +Here is an example query -``` +```PowerShell MiscEvents | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked') ``` @@ -60,15 +64,15 @@ You can review the Windows event log to see events that are created when control 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -3. On the left panel, under **Actions**, click **Import custom view...**. - -4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). +1. On the left panel, under **Actions**, click **Import custom view...**. -4. Click **OK**. +1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). -5. This will create a custom view that filters to only show the following events related to controlled folder access: +1. Click **OK**. + +1. This will create a custom view that filters to only show the following events related to controlled folder access: Event ID | Description -|- @@ -76,10 +80,9 @@ Event ID | Description 1124 | Audited controlled folder access event 1123 | Blocked controlled folder access event +## In this section - ## In this section - -Topic | Description +Topic | Description ---|--- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 29ed15335f..7ed8ec4621 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. +>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 59240aa5f7..dc62facca9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,8 +11,8 @@ ms.pagetype: security ms.localizationpriority: medium author: levinec ms.author: ellevin -ms.date: 05/13/2019 ms.reviewer: +audience: ITPro manager: dansimp --- @@ -36,13 +36,15 @@ You can enable network protection by using any of these methods: ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. +2. Click **Device configuration** > **Profiles** > **Create profile**. +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. +4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. + ![Enable network protection in Intune](images/enable-np-intune.png) -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. + +5. Click **OK** to save each open blade and click **Create**. +6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. ## MDM diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 0f4d7ee1dc..07172573b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 61220879a8..4d7e28279c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -88,7 +88,7 @@ Where: For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: ```PowerShell -Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` You can disable audit mode by replacing `-Enable` with `-Disable`.