Thursday, October 1, 2020

Microsoft Security Report 2020 is out!

Recently MS news released the new Microsoft Security Report for 2020. The original press release text was in german only. But the report is in english.

The report shows the actual threat landscape. This year threats in relationship to Corona where very broadly used. Also nation state attacks and human driven threats as well. Also supply chain and IOT where at risk.

Get the full report here:

Thursday, September 24, 2020

Microsoft Defender XDR

Upps they did it again. Another name change. But it make fully make sense! Microsoft Defender Advanced Threat Protection is becoming Microsoft Defender Endpoint Protection and much more! The whole thing is now Microsoft Defender XDR (eXtended Detection & Response)

Checkout this Microsoft Garage Video!

The Microsoft 365 Defender line will include:

  • Microsoft 365 Defender (previously Microsoft Threat Protection)
  • Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
  • Microsoft Defender for Identity (previously Azure Advanced Threat Protection)

Similarly, the Azure Defender line will include:

  • Azure Defender for Servers (previously Azure Security Center Standard Edition)
  • Azure Defender for IoT (previously Azure Security Center for IoT)
  • Azure Defender for SQL (previously Advanced Threat Protection for SQL)

Differences on Windows Versions Pro/Business/E3/E5

Recently a customer asked me about the specific differences between Windows Defender and Microsoft Defender Advanced Threat Protection (aka MD ATP or its new name "Microsoft Defender for Endpoints")

There is a great "Windows 10 commercial edition comparison" chart available which I want to share with you. Each feature is clickable and tells you more what MS is meaning with it!

Acutally the biggest differentiator is the security area. Standard security is pretty good so far even with Windows Defender (standalone). But the extra costs for E5 is bringing you cloud powered mega security facilitating the Microsoft Security Graph. So the extra bucks are running and operating the cloud facilities for you (hardware, power, cooling, people (3500 security researcher working for you day/night))

To see the full 8 pages version checkout here:

Thanks to Simon for pointing me to this valuable ressource!

Thursday, August 6, 2020

How to change the number of days to revert to previous Windows Installation

Recently I got the question how to change the number of days for reverting Windows 10 to the previous Windows 10 version. Just in case e.g. your hardware or software is running into trouble. Default value is 10 days but this might be too less for strange issues comming up later.

In the web there are several ways to do it (like renaming the .old Folder etc.)

But the offical supported way is this one (problably set during a task sequence)

It is actually a DISM command.

Run this command against an online image to set the number of days after an upgrade that an uninstall can be initiated.
DISM /Online /Set-OSUninstallWindow /Value:<days>

Default is set to 10 days. Can be set between 2 – 60 days.

Tuesday, July 14, 2020

How to become a crack in Microsoft Defender ATP

Heike Ritter (Sr. PM of MD ATP) just shared a very interesting guide to become a professional threat hunter with Microsoft Defender ATP. And I think every professional in security operations should know this.

Its really worth to have a deeper look!

You get shown step by step how to become an advanced threat hunter. 

Monday, July 13, 2020

Autopilot Diagnostics

Just today the "Father" of Windows Autopilot (Michael Niehaus) just wrote a great article about  Windows Autopilot diagnostics. And I just refer to this article for you and me for later use. 

He is speaking about the "GET-AutopilotESPStatus" and its evolution to the Powershell Commandlet "Get-AutopilotDiagnostics" which it is now. And also about the different steps and even much more stuff to dig deeper into Autopilot diagnostics.

Feel free to have a deeper look into the Windows Autopilot diagnostics here:

And you get the original script here:

Monday, June 22, 2020

Win10 - Patchday 06/2020 Printing Issues

Normally I do not comment temporary issues. Especially as MS is mostly fixing them within the next update period. Unfortunately for this issue it does not seem MS is deploying it via Windows Update even in the near future. Therefore here a short notice.

When your system get patched with the 06/2020 cumulative update you may see issues with your printers. It does not matter if it is a USB printer or otherwise connected printers. The root cause is in the printer spooler itself. 

For more official information's please refer to this KB article.

MS is providing manual hotfixes for this issue. Currently not deployed via Windows Update. If you encounter such a problem then please check out depending on your Win10 version these updates:

Thursday, June 18, 2020

Windows Virtual Desktop - FSLogix container size limitations

Recently a customer asked me about the Windows Virtual Desktop (WVD) FSLogix file storage limitations. After some research and talks to the Product Group it turns out that there are not really limitations by FSLogix by itself. The limitations are defined by the underlying technologies.

First of all FSLogix mainly used the standard container format .VHD/.VHDX
and these disks are stored on underlaying files storage technologies. In the WVD world this is in general Azure Files.

In terms of different disk types in general you can use all of them:

These are the size limitations of the container formats:

 Type      Size Limit Factor     Maximum Size Limit
 VHD Fixed Size
 Underlying Filesystem in general NTFS16 TB (4kb default cluster size)
256 TB (64kb cluster size)
 Dynamic Size
 VHD specification (Word Document) 2040 GB (Theoretically)
127 GB (Practically e.g. ATA Hard
drive disk protocol limit)
 Fixed Size   
 Underlying Filesystem
 (Azure Files)
 64 TB (by VHDX definition)
 1 TB practically due to
 underlaying File System
 (e.g. Azure Files
 which is used in WVD)
 Dynamic Size
Used by default
from WVD
 Underlying Filesystem
 (Azure Files)
 64 TB (by VHDX definition)
 1 TB practically due to 
 underlaying File System

 (e.g. Azure Files 
 which is used in WVD)

Underlaying storage technology for FSLogix in Windows Virtual Desktop:

FSLogix Default for container disks is VHDX with Dynamic Size used on Azure Files. Maximum file size is up to 1 TB (as the file is set to dynamic it will start much smaller with the default profile size of your user profile and grow up the the specified limit. In this case the recommendation is to create dynamically VHDX files not greater than 1 TB).

When it comes to Azure Files there are more limits depending on the storage type you are using. A comprehensive list can be found here:

Performance requirements per user:

This add another implication where you have to consider from the user side.
These are the performance and throughput requirements per User in FSLogix (thanks for Input from the PG)

The limitations (quotas) are usually not in FSLogix but in the underlying storage fabric that is being used to store FSLogix. Here are tables that show what FSLogix needs per one user. If we want to handle 100 users we need 1000 IOPS for steady used, 5000 IOPS for logon storm, etc.

 Steady IOPS used per user     10
 Boot / Login IOPS used per user                                   50

 Steady throughput per user (MB per second)        1.5 
 Boot / Login  throughput per user (MB per second)       7.5


Technically you can setup quota for the user profiles in Windows directly. Due to the used filterdriver the user profile directory behaves like a native folder where quota can be applied. So if the admin sets a quota for the user profile you get notified as usual. There is no dedicated quota management in FSLogix necessary or available. (Thanks to Stefan for clarification!)

Thursday, May 28, 2020

Windows10 - 2004 whats new

Windows10 - Version 2004 
Build 10.0.19041.264

Comprehensive but not full list of all updates known and available:

  • Cortana has been redesigned with a conversation-based UI and support for light mode
  • The Cortana window can now be moved across the desktop
  • Windows no longer indexes developer forlders like .git, .svn, .Nuget, .hg and more
  • Search can now better identify high usage and only index when enough resources are available.
Taskbar + Action center
  • Searching in Timeline when you didn't opt-in no longer requires you to tab past the opt-in text before you get to the search results
  • Action center will now show a direct link to Notification settings
  • You can now rename virtual desktops
File Explorer
  • Search is now powered by Microsoft Search
  • The Search bar in the File Explorer is now slightly longer by default
  • The context menu for .HEIC-files will now include options to Print or Set as Desktop Background
  • The App Volume and Device Preferences page has been redesigned
  • Storage Sense's group policies have been updated with better explanations for their functionality
  • You can now disable sounds for all notifications at once
  • You can now sort notifications senders
  • Under Notifications & actions, a setting has been added to disable the post-upgrade setup page
  • You can now manage the mouse cursor speed
  • When pairing with Swift Pair, the entire flow now happens within the notification with no need to open Settings
  • One less notification has to be shown for the full pairing experience over Bluetooth
  • You can now dismiss Swift Pair from the notification with the Dismiss-button
  • The device name and category are now shown in a Swift Pair notification
Network & Internet
  • The network Status page has been redesigned, showing the network usage for all active connections and integrating Data Usage
  • You can now select multiple features to be installed on your device
  • Features can now be searched through as well as sort them by Name, Size or Install date
  • Features will now shown when they were installed and any other dependencies they have
  • Latest actions has been added to Optional features and shows which installs, uninstalls and cancels you've performed
  • "Make your device passwordless" has been added as a new option under Sign-in options
  • Your account picture will now sync faster through any Microsoft services
  • Ease of Access settings can no longer be set to sync between devices
  • The option "Automatically save my restartable apps when I sign out and restart them after I sign in." has been added on the Sign-in options page
Time & language
  • Language will now show an overview of various aspects of the system and to which language they are set, including Windows display, Apps & websites, Regional format, Keyboard and Speech, providing quick access to the various settings
  • The link to add a local experience pack has been removed
  • Opening a language's options will now show an updated language features overview
    • Required features are now listed below other features without a disabled checkmark
    • Features and settings that depend on other features and settings are now shown as a subitem of their parents
    • The various language feature will now show an icon on the right that will give the user a tooltip
Ease of Access
  • There is now a tooltip when hovering over the various color options for your cursor
Update & Security
  • You can now limit the bandwith usage by Delivery Optimization for both foreground and background
  • "Cloud download" has been added as a new recovery option
  • Windows Update will now list optional updates under "View optional updates"
  • All driver updates are now listed under "View optional updates", removing the need to check for drivers in the Device Manager
  • Improvements to the launch time when the Settings header is visible
Ink Workspace
  • The Ink Workspace flyout has been replaced with a small flyout menu
  • Sticky Notes are no longer accessible from the Ink Workspace
  • Sketchboard has been replaced with the Microsoft Whiteboard app

  • Magnifier with larger pointers will now pan smoothly when as the pointer changes shape
  • "Change how capitalized text is read" has been removed from Narrator
  • Narrator now announced the toggle state of checkboxes in a Listview
  • Scan mode will now turn off to allow typing in the edit field of a spinner control
  • Narrator now has improved support for "invalid" and "required" properties on more controls
  • Narrator Braille can now reliably activate links by routing key
  • Narrator reliability has been improved from Chrome
  • Narrator now reads tables more efficiently by only reading the deltas when navigating.
  • Narrator + S now gives a webpage summary.
  • You can now keep the text cursor in the center of the screen when typing with Magnifier
  • Narrator can now say the title and url of a link
  • Narrator will now read the header first, followed by the cell data, followed by the row/column - position of a cell
  • When headers in data tables change, Narrator will now read them
  • Eye Control now supports drag-and-drop
  • Pausing Eye Control will now completely hide the launchpad
  • Buttons can now be clicked with switches on joysticks or device that emulate joysticks
  • Eye Control has been updated to provide more settings
  • Narrator now automatically starts reading web pages and emails
  • The Magnifier UI has been revamped with updated icon and moves the magnification in between the zoom buttons, it is no longer to change the view from the Magnifier window
  • Narrator will now turn on Scan Mode when reading Outlook or Windows Mail mails automatically
  • Each email will now be read with the status mentioned first in the list view
  • The text cursor can now be changed to any given color
  • Narrator will now start reading webpages from the top rather than from the main landmark on it
  • Narrator now supports the arria-haspopup property
  • You can now turn of Narrator input learning of by hitting Narrator + 1
  • Improved Magnifier performance when moving the mouse around the screen
  • Magnifier reading now support reading in more locations
  • Narrator's volume for link and scroll sounds has been bumped up
  • In Outlook, the "importance"-header is now always spoken by Narrator before the importance level
  • Magnifier can no longer be set to an UI that is visible in the viewport as a magnifying glass
Language and input
  • The on-screen keyboard now uses SwiftKey's Typing Intelligence on 39 new languages: Afrikaans (South Africa), Albanian (Albania), Arabic (Saudi Arabia), Armenian (Armenia), Azerbaijani (Azerbaijan), Basque (Spain), Bulgarian (Bulgaria), Catalan (Spain), Croatian (Croatia), Czech (Czech Republic), Danish (Denmark), Dutch (Netherlands), Estonian (Estonia), Finnish (Finland), Galician (Spain), Georgian (Georgia), Greek (Greece), Hausa (Nigeria), Hebrew (Israel), Hindi (India), Hungarian (Hungary), Indonesian (Indonesia), Kazakh (Kazakhstan), Latvian (Latvia), Lithuanian (Lithuania), Macedonian (Macedonia), Malay (Malaysia), Norwegian (Bokmal, Norway), Persian (Iran), Polish (Poland), Romanian (Romania), Serbian (Serbia), Serbian (Serbia), Slovak (Slovakia), Slovenian (Slovenia), Swedish (Sweden), Turkish (Turkey), Ukrainian (Ukraine), Uzbek (Uzbek)
  • Dictation support for English (Canada), English (UK), English (Australia), English (India), French (France), French (Canada), German (Germany), Italian (Italy), Spanish (Spain), Spanish (Mexico), Portuguese (Brazil), and Chinese (Simplified, China) has been added
  • A number of kaomoji have been added the to emoji picker.
Input Method Editor
  • The development version of the Japanese IME from build 18277 has been restored
  • Improved security and reliability in the revamped Chinese Simplified and Chinese Traditional IMEs, as well as a cleaner settings interface
  • The Chinese Pinyin IME now refers to "Default mode" instead of "Input mode"
  • A tip has been added to the Bopomofo IME settings that Ctrl + Space will toggle the conversation mode
  • The Japanese IME now has as default assinged value of Ctrl + Space to be "None"
  • Key assignment settings are now more discoverable in the Japanese IME
  • Improved performance for the Bopomofo, ChangJie, and Quick IMEs
  • You can now disable the Shift + Space keyboard shortcut in the Bopomofo IME as well as changing the candidate font size
  • You can now hide the IME toolbar from the toolbar menu

  • Connect is now an optional feature downloadable in Settings
  • Notepad can now restore unsaved content when Windows restarts for updates
Task Manager
  • The disk type will now be shown in Task Manager
  • Right clicking a process will now show "Provide Feedback" after "End task" and "End process tree" instead of between
  • The GPU temperature is now shown under Performance > GPU
Windows Sandbox
  • Support for capturing hotkeys in full screen has been added
  • A configuration file can now be set for Windows Sandboxes
  • Error dialogs will now show an error code and a link to Feedback Hub
  • You can now use a microphone in Windows Sandbox
  • The audio input device can now be set in the Sandbox config file
  • Shift + Alt + PrtScn now opens the ease of access dialog for high contrast mode
  • Ctrl + Alt + Break now toggles fullscreen mode
  • Windows Sandbox no longer requires the use of Admin privileges
Windows Subsystem for Linux
  • The file system of a Linux distro can now be accessed from File Explorer
  • Windows Subsystem for Linux version 2 has been added to Windows, including a full Linux kernel
  • Connections can now be made using localhost
  • Improved performance for directory listings in \wsI$
Other features
  • Tamper Protection will be set on by default again
  • You can now sign in with your Windows Hello PIN when in Safe Mode
And further
  • The "Windows Light" theme is now called "Windows (light)"
  • All Emoji 12.0 emojis now have keywords in the emoji picker
  • The OOBE will now show a lock icon with networks that are private
  • Windows Defender ATP is being renamed to Microsoft Defender
  • Windows will now periodically remind you to make backups if you do not have a backup solution installed
  • You're prefered defragmentation settings are now preserved after upgrading Windows
  • Support for Microsoft Bluetooth Mouse and Keyboard has been added to Swift Pair
  • Update the Windows version name to version 2004
Thanks to the Team of ChangeWindows!

Configuration and Deployment
As this is stuff IT Pros are focused here more explanations:

Delivery Optimization enhancements

  • Get-DeliveryOptimizationStatus -PeerInfo. Offers a real-time view behind-the-scenes of peer-to-peer activity (e.g. the peer IP Address, bytes received/sent).
  • Get-DeliveryOptimizationLogAnalysis. Get a summary of the activity in your Delivery Optimization log (e.g. the total number of downloads, downloads from peers, and overall peer efficiency). Use the -ListConnections flag to for in-depth look at peer-to-peer connections.
  • Enable-DeliveryOptimizationVerboseLogs. Offers a greater level of detail to assist in troubleshooting.
  • Enterprise network throttling. We've made enhancements to foreground vs. background throttling.
  • Automatic cloud-based congestion detection. Leverage the power of the Delivery Optimization cloud service to help identify download storms on your network. In short, the existing policy to delay background downloads from HTTP will indicate that the cloud service is allowed to dynamically back off downloading updates from the cloud for some devices while continuing to leverage local peer sources. Similarly, the same feature can help improve overall peer utilization by dynamically choosing which devices can download updates first. This feature is particularly useful to those of you who are deploying via rings and would like to avoid selecting individual devices in ring 0 (which can be cumbersome if you have thousands of sites). (Note: This client feature requires a cloud service support, which will be available in the near future, for full functionality.)

Servicing and deployment enhancements

  • Reduced offline time during feature updates. Beginning with Windows 10, version 1703, we've steadily reduced end user downtime during a feature update. With Windows 10, version 2004, offline time continues to decrease, from a median time of over 80 minutes in version 1703, to 16 minutes in version 2004, including only a single reboot for many users.
  • Improved controls for reserved storage. With the release of Windows 10, version 1903, we introduced reserved storage for newly manufactured PCs and clean Windows 10 installs. With Windows 10, version 2004, we've added a new set of Deployment Image Servicing and Management (DISM) commands and APIs so you can enable and disable reserved storage on demand, including reserved storage for Windows 10 devices that were not shipped with Windows 10, version 1903 and higher. For the full set of reserved storage command line options, see DISM Reserved Storage Command-line Options.
  • Improved controls and diagnostics for Windows Setup. For those using Windows Setup, Windows 10, version 2004 offers more control when upgrading to the latest update. For example:
  • Recover Windows 10 from the cloud. With this release we've added the option to recover Windows 10 by downloading the necessary files from the cloud, resulting in increased reliability and, depending on your internet speed, a faster recovery. For more details about the cloud-reset process, see Reset this PC option: Cloud download.
  • Windows Autopilot. Procure devices and have them delivered directly to the end user and provisioned from the cloud. Windows Autopilot has been available since Windows 10, version 1703 (with the 7D update) and with each new version of Windows 10 we add new, requested features. Today we're adding the ability to:
    • Configure user-driven Hybrid Azure AD Join with VPN support. This support has been backported to Windows 10, versions 1909 and 1903.
    • Configure language settings in the Windows Autopilot profile so that the out-of-box experience (OOBE) will skip the language, locale, and keyboard pages when the device is connected to ethernet.

Windows Update for Business

  • Microsoft Intune console updates. The target version is now available in Intune, allowing you to specify to which Windows 10 OS version you want devices to move. This capability also enables you to keep devices on their current version until they reach end of service. Available now in the Intune console, you can also configure this as a Group Policy or Configuration Service Provider (CSP) policy.
  • Validation improvements. To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. But we know this can interfere with validations. To better enable IT administrators to validate on the latest release, we have created a new policy to enable admins to opt devices out of the built-in safeguard holds.
  • Deferral policies. See FAQ below for a description of how deferral policies work in Windows Update for Business.
  • Documentation updates. We have improved our Windows Update for Business documentation to better communicate how to utilize Windows Update for Business to manage Windows Updates to keep devices secure and end users productive.

Windows Virtual Desktop

Windows Virtual Desktop continues to evolve and you can keep up with the latest enhancements by bookmarking the Windows Virtual Desktop community and staying tuned to the Windows IT Pro Blog. Most recently, we've published new PowerShell modules to PSGallery, including Remove-RdsRoleAssignment with the -AadTenantId parameter to remove role assignments of principals not associated to the Azure AD tenant, and Update-AzWvdHostPool -PersonalDesktopAssignmentType to automatically assign users to virtual machines. For more details, see the Windows Virtual Desktop PowerShell release notes.

Cortana enhancements

  • Productivity[1]. A chat-based UI gives you the ability to interact with Cortana using typed or spoken natural language queries to easily get information across Microsoft 365 and stay on track. In the coming months, with regular app updates through the Microsoft Store, we'll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities (such as surfacing relevant emails and documents to help you prepare for meetings), and expand supported capabilities for international users.
  • Security. You now must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tighter access, some skills including music, connected home, and third-party skills will no longer be available. Additionally, users get cloud-based assistance services that meet Office 365's enterprise-level privacy, security, and compliance promises as set out in the Online Services Terms.
  • Move the Cortana window. With Windows 10, version 2004, you can drag the Cortana window to a more convenient location on your desktop.

Thursday, April 23, 2020

M365 wrong licensing impacts performance

Tenant level security & compliance features may have performance issues when licensed wrong!

Good example is the use of Office 365 ATP e.g. detonation chamber for attachements. Behind this feature there are VMs spinned up for processing the attachments. The number of licensed users control in the background the ammount of VMs used for this. Some customers belief its a good Idea to have 1 x E5 license and then they are able to use the features as they are tenant wide activated then.
But they fail in:
1. doing a license violation
2. having not enough ressources allocated to do the work. Physical result is a strongly delayed delivery of mails with attachments or with dynamic delivery option enabled also a strong delay in delivering the final attachment. This is caused by a tremendous queue of attachments waiting to be checked as there are not enough ressources allocated in the background.
For this and more impacts please refer also to this article. It also covers the topic how to limit the services correctly to the targeted users.

Friday, March 27, 2020

SCCM ConfigMgr Client Health

When you operate your client in an enterprise environment, then you may find from time to time clients in an unhealty condition. E.g. SCCM reporting does not work anymore or other issues around WMI originating from a corrupt WMI repository and much more.

The tech fellow Anders Rodland created a fantastic PowerShell based framework to diagnose and heal your (sccm) clients automatically.


ConfigMgr Client Health detects and fixes following errors:

  • ConfigMgr client is not installed.
  • ConfigMgr client is assigned the correct site code.
  • ConfigMgr client is upgraded to current version if not at specified minimum version.
  • ConfigMgr client not able to forward state messages to management point.
  • ConfigMgr client stuck in provisioning mode.
  • ConfigMgr client maximum log file size.
  • ConfigMgr client cache size. Fixed size (MB) or percentage of disk space.
  • ConfigMgr client certificate error.
  • ConfigMgr client hardware inventory not running.
  • ConfigMgr client CcmSQLCE.log exists and client is not in debug mode.
  • Corrupt WMI.
  • DNS server record matches local IP’s
  • Drivers – Reports faulty or missing drivers on client.
  • Logging to SQL database and / or file share
  • Pending reboot check
  • User-friendly reboot of computer with 3rd party reboot app when in pending reboot or computer uptime is more than specified in config.
  • Services for ConfigMgr client is not running or disabled.
  • Other services can be specified to start and run and specific state.
  • Windows Update Agent not working correctly, causing client not to receive patches.
  • Windows Update Agent missing patches that fixes known bugs.
  • PLUS additional ones in the latest version (check it out!)

More Information's can be found here:

And the latest "ConfigMgrClient Health" can be found on Github:

Monday, March 23, 2020

Autopilot with non-signature devices (CSP admins only)

Recently I had a customer they acquired Dell devices regularly without the Signature Edition so they would not receive the Autopilot hashes automatically in their tenant.

There is still a way to make it work. But this cant be done by a regular tenant admin. This need to be done by the CSP admin so you need to contact your Cloud Solution Provider (CSP) as they have a special chain of trust with Microsoft. You need to trust this CSP and allow him to be your CSP administrator in your tenant. This prevents any abuse of this process.

Therefore you need also to provide a CSV list to your CSP.

The format must be:

So you need the Device Serial Number, the Manufacturer Name and the Device model. 

(Device serial number,Windows product ID,Hardware hash,Manufacturer name,Device model) for copy&paste in your Excel table.

Manufacturer and Device model are very critical. So you can not write what you think of. It need to be the output of this Powershell command:

Get-CimInstance -ClassName Win32_ComputerSystem -property Manufacturer, Model | Select-Object Manufacturer, Model

Manufacturer          Model
------------          -----
Microsoft Corporation Surface Pro 6

You compile the table above with the serial number and these make and model information's (to be very exact is crucial!). The Windows product ID and the Hardwarehash need to be empty! 

Then you need to export this as CSV file and hand it over to your CSP for uploading it. This allows you also to on-board machines you have not yet bought as Autopilot machines (with Autopilot hardware vendor SKU and/or Signature Edition)

Additional drawback when not using the signature editon:
You still may have plenty bloatware installations in your image. You may want to remove them manually which might be tricky in some cases.

More information's about Autopilot can be found here:

More information's about the signature edition can be found here:

(dont be shocked. This is only available in Granada English! :-))

Monday, January 27, 2020

What does this 0xC00000... errorcodes mean

Sometimes you get in Windows some strange error codes without any meaning behind.

Like 0xC0000005 or many other ones.

There is a simple Microsoft command line tool available to reveal the meaning of them. This tool was recently updated to the latest version. You find it here:

Compared to the older version there are know approx. 8000 new return codes from more resources added. So its worth to download the latest version.

When you download it simply execute the executable followed
by the error code: e.g.  err 0xC0000005

The error code may be used on more than on place in the OS. So you need to figure out the source (or OS area) where the issue happend.

winerror.h, ntstatus.h and bugcodes.h are handled typically by the OS kernel and relate to core os functions like file access etc.

USAGE: err [opt] {value} [value] [value] ...
 where <value> must be of one of the following forms:
   1. decorated hex (0x54f)
   2. implicit hex  (54f)
   3. ambiguous     (1359)
   4. exact string  (=ERROR_INTERNAL_ERROR)
   5. substring     (:INTERNAL_ERROR)
...and <opt> may be one of:
   /:xml         - causes the output to be in XML-parseable form.
                   To understand the output, try it.  It's pretty obvious.
   /:listTables  - lists all the tables below in XML format.
                   Again, the format is pretty straightforward.
   /:outputtoCSV - lists all the tables below in CSV format.
   /:outputtoJS  - lists all the tables below for use in JS.
   /:outputtoCPP - lists all the tables below for a C++ header.
   /:hresultfromwin32 - prints HRESULT_FROM_WIN32 errors for a C++ header.

All values on the command line will be looked up in our internal
tables and presented to you.  If available, informational data
associated with the value(s) will also be shown (see below).
All tables are searched by default, but you can restrict the
output to those tables you deem appropriate by adding
"/<tablename>" to the beginning of the commandline.


> err /winerror.h /ntstatus.h 0
# winerror.h selected.
# ntstatus.h selected.
# for hex 0x0 / decimal 0 :
  STATUS_WAIT_0                                             ntstatus.h
  ERROR_SUCCESS                                             winerror.h
# The operation completed successfully.
  NO_ERROR                                                  winerror.h
  SEC_E_OK                                                  winerror.h
  S_OK                                                      winerror.h
# 5 matches found for "0"

This app has support derived from the following headers and privates:

  activprof.h             activscp.h             adoint.h               adserr.h
  asferr.h                audioclient.h          audioenginebaseapo.h   bitsmsg.h
  bthdef.h                bugcodes.h             cderr.h                cdosyserr.h
  cfgmgr32.h              cierror.h              corerror.h             corsym.h
  ctffunc.h               d3d.h                  d3d9.h                 d3d9helper.h
  d3dx10.h                d3dx10core.h           d3dx9.h                d3dx9xof.h
  daogetrw.h              dbdaoerr.h             dciddi.h               ddeml.h
  ddraw.h                 dhcpssdk.h             difxapi.h              dinput.h
  dinputd.h               dlnaerror.h            dmerror.h              drt.h
  dsound.h                dxfile.h               eaphosterror.h         ehstormsg.h
  esent.h                 fherrors.h             filterr.h              fltdefs.h
  hidpi.h                 iiscnfg.h              imapi2error.h          imapi2fserror.h
  imapierror.h            ime.h                  intshcut.h             ipexport.h
  iscsierr.h              iscsilog.h             jscript9diag.h         legacyErrorCodes.h
  lmerr.h                 lmerrlog.h             lmsvc.h                lpmapi.h
  lzexpand.h              mciavi.h               mdmregistration.h      mdmsg.h
  mediaerr.h              mferror.h              mmstream.h             mobsync.h
  mpeg2error.h            mprerror.h             mq.h                   mqoai.h
  msctf.h                 msdrmerror.h           msime.h                msiquery.h
  msopc.h                 mswmdm.h               msxml2.h               nb30.h
  ndattrib.h              netcfgx.h              netevent.h             netmon.h
  netsh.h                 nserror.h              ntdddisk.h             ntdsapi.h
  ntdsbmsg.h              ntiologc.h             ntstatus.h             odbcinst.h
  ole.h                   olectl.h               oledberr.h             oledlg.h
  p2p.h                   patchapi.h             patchwiz.h             pbdaerrors.h
  pdhmsg.h                photoacquire.h         portabledevice.h       qossp.h
  raserror.h              rdcentraldb.h          reconcil.h             routprot.h
  rtcerr.h                sberrors.h             scesvc.h               schannel.h
  setupapi.h              shellapi.h             sherrors.h             shimgdata.h
  shobjidl_core.h         slerror.h              snmp.h                 spatialaudioclient.h
  spatialaudiometadata.h  sperror.h              stierr.h               synchronizationerrors.h
  tapi.h                  tapi3err.h             tcerror.h              textserv.h
  textstor.h              thumbcache.h           tpcerror.h             txdtc.h
  upnp.h                  upnphost.h             urlmon.h               usb.h
  usp10.h                 vdserr.h               vfw.h                  vfwmsgs.h
  vsserror.h              wbemcli.h              wcmerrors.h            wcntypes.h
  wdfstatus.h             wdscpmsg.h             wdsmcerr.h             wdstptmgmtmsg.h
  werapi.h                wiadef.h               winbio_err.h           wincrypt.h
  windowsplayready.h      windowssearcherrors.h  winerror.h             winfax.h
  winhttp.h               wininet.h              winioctl.h             winldap.h
  winsnmp.h               winsock2.h             winspool.h             wpc.h
  wsbapperror.h           wsmerror.h             wuerror.h              xapo.h
  xaudio2.h               xmllite.h              xpsdigitalsignature.h  xpsobjectmodel.h
There are currently 25259 return codes registered from 173 sources.