Applies to:

Windows 10 RTM (a.k.a. Windows 10 1507)

Since the following KB articles and Technet articles haven’t been updated:

949104 How to update the Windows Update Agent to the latest version

https://support.microsoft.com/?id=949104

946928 Information for network administrators about how to obtain the latest Windows Update Agent

https://support.microsoft.com/?id=946928

How to Check the Windows Update Agent Version on Clients

https://technet.microsoft.com/en-us/library/bb680319.aspx

Note:  You should check http://support.microsoft.com for the latest version of the different files.

Note 2:  You can download them without entering your e-mail address and captcha if you are a Microsoft Premier customer and have a http://Premier.Microsoft.com account.

Note 3:  Carefully review the list and decide which might be applicable to your unique environment.

Note 4:  Test in your test and your quality assurance environment.

No update as of Dec. of 2017.

Yong

P.S.  More Windows Update related articles:

How to download a Windows update manually

973135 https://support.microsoft.com/?id=973135

946413 You receive error code 0x80244001 when you try to update the computer by visiting the Microsoft Update Web site or the Windows Update Web site

https://support.microsoft.com/?id=946413

555974How to re-register Windows client/server in WSUS

https://support.microsoft.com/?id=555974

971058 How do I reset Windows Update components?

https://support.microsoft.com/?id=971058

883821 883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

956708 Error message when you try to install updates by using the Windows Update or Microsoft Update Web site: "0x80004002"

https://support.microsoft.com/?id=956708

326253 Error message when you check for updates on the Windows Update site: "0X800A138F: There are no updates available at this time"

https://support.microsoft.com/?id=326253

555989 Windows Update Not Working.

https://support.microsoft.com/?id=555989

883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

2700567 Windows Update freezes when you install updates in Windows 8, Windows 7, or Windows Vista

https://support.microsoft.com/?id=2700567

Applies to:

Windows 10 1511 (a.k.a. Windows 10 November of 2015)

Since the following KB articles and Technet articles haven’t been updated:

949104 How to update the Windows Update Agent to the latest version

https://support.microsoft.com/?id=949104

946928 Information for network administrators about how to obtain the latest Windows Update Agent

https://support.microsoft.com/?id=946928

How to Check the Windows Update Agent Version on Clients

https://technet.microsoft.com/en-us/library/bb680319.aspx

Note:  You should check http://support.microsoft.com for the latest version of the different files.

Note 2:  You can download them without entering your e-mail address and captcha if you are a Microsoft Premier customer and have a http://Premier.Microsoft.com account.

Note 3:  Carefully review the list and decide which might be applicable to your unique environment.

Note 4:  Test in your test and your quality assurance environment.

None as of Dec. of 2017

Yong

P.S.  More Windows Update related articles:

How to download a Windows update manually

973135 https://support.microsoft.com/?id=973135

946413 You receive error code 0x80244001 when you try to update the computer by visiting the Microsoft Update Web site or the Windows Update Web site

https://support.microsoft.com/?id=946413

555974How to re-register Windows client/server in WSUS

https://support.microsoft.com/?id=555974

971058 How do I reset Windows Update components?

https://support.microsoft.com/?id=971058

883821 883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

956708 Error message when you try to install updates by using the Windows Update or Microsoft Update Web site: "0x80004002"

https://support.microsoft.com/?id=956708

326253 Error message when you check for updates on the Windows Update site: "0X800A138F: There are no updates available at this time"

https://support.microsoft.com/?id=326253

555989 Windows Update Not Working.

https://support.microsoft.com/?id=555989

883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

2700567 Windows Update freezes when you install updates in Windows 8, Windows 7, or Windows Vista

https://support.microsoft.com/?id=2700567

Applies to:

Windows Server 2016

Windows 10 1607 (a.k.a. Anniversary edition)

Since the following KB articles and Technet articles haven’t been updated:

949104 How to update the Windows Update Agent to the latest version

https://support.microsoft.com/?id=949104

946928 Information for network administrators about how to obtain the latest Windows Update Agent

https://support.microsoft.com/?id=946928

How to Check the Windows Update Agent Version on Clients

https://technet.microsoft.com/en-us/library/bb680319.aspx

Note:  You should check http://support.microsoft.com for the latest version of the different files.

Note 2:  You can download them without entering your e-mail address and captcha if you are a Microsoft Premier customer and have a http://Premier.Microsoft.com account.

Note 3:  Carefully review the list and decide which might be applicable to your unique environment.

Note 4:  Test in your test and your quality assurance environment.

4033637 Updates to Windows 10, Version 1607 for update applicability: August 30, 2017

https://support.microsoft.com/?id=4033637

Supersede(s):

3019207 Dynamic update does not work in Windows 10 Technical Preview or Windows Server Technical Preview build-to-build upgrade

https://support.microsoft.com/?id=3019207

Yong

P.S.  More Windows Update related articles:

How to download a Windows update manually

973135 https://support.microsoft.com/?id=973135

946413 You receive error code 0x80244001 when you try to update the computer by visiting the Microsoft Update Web site or the Windows Update Web site

https://support.microsoft.com/?id=946413

555974How to re-register Windows client/server in WSUS

https://support.microsoft.com/?id=555974

971058 How do I reset Windows Update components?

https://support.microsoft.com/?id=971058

883821 883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

956708 Error message when you try to install updates by using the Windows Update or Microsoft Update Web site: "0x80004002"

https://support.microsoft.com/?id=956708

326253 Error message when you check for updates on the Windows Update site: "0X800A138F: There are no updates available at this time"

https://support.microsoft.com/?id=326253

555989 Windows Update Not Working.

https://support.microsoft.com/?id=555989

883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

2700567 Windows Update freezes when you install updates in Windows 8, Windows 7, or Windows Vista

https://support.microsoft.com/?id=2700567

Applies to:

Windows 10 1703 (a.k.a. Windows 10 Creators update)

Since the following KB articles and Technet articles haven’t been updated:

949104 How to update the Windows Update Agent to the latest version

https://support.microsoft.com/?id=949104

946928 Information for network administrators about how to obtain the latest Windows Update Agent

https://support.microsoft.com/?id=946928

How to Check the Windows Update Agent Version on Clients

https://technet.microsoft.com/en-us/library/bb680319.aspx

Note:  You should check http://support.microsoft.com for the latest version of the different files.

Note 2:  You can download them without entering your e-mail address and captcha if you are a Microsoft Premier customer and have a http://Premier.Microsoft.com account.

Note 3:  Carefully review the list and decide which might be applicable to your unique environment.

Note 4:  Test in your test and your quality assurance environment.

None as of Dec. of 2017.

Yong

P.S.  More Windows Update related articles:

How to download a Windows update manually

973135 https://support.microsoft.com/?id=973135

946413 You receive error code 0x80244001 when you try to update the computer by visiting the Microsoft Update Web site or the Windows Update Web site

https://support.microsoft.com/?id=946413

555974How to re-register Windows client/server in WSUS

https://support.microsoft.com/?id=555974

971058 How do I reset Windows Update components?

https://support.microsoft.com/?id=971058

883821 883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

956708 Error message when you try to install updates by using the Windows Update or Microsoft Update Web site: "0x80004002"

https://support.microsoft.com/?id=956708

326253 Error message when you check for updates on the Windows Update site: "0X800A138F: There are no updates available at this time"

https://support.microsoft.com/?id=326253

555989 Windows Update Not Working.

https://support.microsoft.com/?id=555989

883821 You may receive an error message when you search for available updates on the Windows Update Web site or on the Microsoft Update Web site

https://support.microsoft.com/?id=883821

2700567 Windows Update freezes when you install updates in Windows 8, Windows 7, or Windows Vista

https://support.microsoft.com/?id=2700567

Applies to:

Windows 10 1709 (a.k.a. Windows 10 Fall's Creators update)

For the Windows Update based security hotfixes and hotfixes to install properly, you need to make sure that you have the latest “Servicing Stack Update” for your corresponding O.S.  Here are a list for the O.S. on the applies to section.

4054022 Servicing stack update for Windows 10 Version 1709: November 30, 2017

https://support.microsoft.com/?id=4054022

Thanks,

Yong

P.S.  You might see the following error messages when trying to install the December 2018 security updates:

Looking at:

"c:\temp\WinUp_4054517_error_0x80071a90\WindowsUpdateLog\wuetl.CSV.tmp.00002"

/*
      Handler,          0,        10123,          0,         11,          4,          0,          0, 0x0000000000001000, 0x00000F50, 0x00001334,                    0,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   131595246777272135,        375,       1185, "Adding Windows10.0-KB4054517-x64.cab (entire file) to request list."

<SNIP>
      Handler,          0,        10123,          0,         11,          4,          0,          0, 0x0000000000001000, 0x0000124C, 0x00001524,                    0,             ,                     ,   {00000000-0000-0000-0000-000000000000},                                         ,   131595419369307385,        150,          0, "Post-reboot status for session 30639406_830041973: 0x80071a90."

*/

Looking at "c:\temp\WinUp_4054517_error_0x80071a90\CbsPersist_20171101223740\CbsPersist_20180104122304.log":

/*

2018-01-03 23:32:39, Info                  CBS    Opened cabinet package, package directory: \\?\C:\Windows\SoftwareDistribution\Download\2d0cc9878b9c82012a172ce21927b52d\, sandbox location: \\?\C:\Windows\SoftwareDistribution\Download\2d0cc9878b9c82012a172ce21927b52d\inst\, cabinet location: \\?\C:\Windows\SoftwareDistribution\Download\2d0cc9878b9c82012a172ce21927b52d\Windows10.0-KB4054517-x64.cab, manifest location: \\?\C:\Windows\SoftwareDistribution\Download\2d0cc9878b9c82012a172ce21927b52d\inst\update.mum

<SNIP>

2018-01-04 04:17:06, Info                  CBS    Failure in poqexec.exe while processing updates. [HRESULT = 0x80071a90 - ERROR_TRANSACTIONAL_CONFLICT]

<SNIP>

2018-01-04 04:17:06, Info                  CBS    Shtd: Transaction failed, possibly due to another process.  Attempting retry: #1 of 1 [HRESULT = 0x80071a90 - ERROR_TRANSACTIONAL_CONFLICT]

*/

Hi guys,

Kory Thacher who is a fellow PFE based out of Seattle, WA., has a new blog post that goes through Powershell fundamentals.

Bookmark this Aka.MS/Kory URL if you are looking at ramping up on Powershell.

Have a good weekend.

Yong

CVE-2017-5753: bounds check bypass
CVE-2017-5715: branch target injection
CVE-2017-5754: rogue data cache load

“Speculative execution side-channel vulnerabilities” that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass

        Note:  Also known as “Kernel Page Table Isolation” (KPTI)) vulnerability.

        Note 2:  Also known as “Meltdown attack”

        Note 3:  Also known as “Spectre attack”

Register’s Intel story from Jan. 3rd, 2018.

What’s impacted?  They affect the different hardware of multiple vendors across the industry

• Intel
• AMD
• ARM

                 Meltdown https://meltdownattack.com/

                 Meltdown impacts only Intel*

                             Note:  * As of now.

                Spectre https://spectreattack.com/

                Spectre impacts Intel, AMD, and ARM.

Thus the software running on top (Windows, Linux, Android, Chrome, IOS, Mac OS).

Intel Corp. has released the following announcement:

Intel Responds to Security Research Findings

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

· Intel Security Advisory INTEL-SA-00086

· Support Article

· Detection Tool

US Cert has released the following announcement:

· US Cert. Notification

AMD Corp. has released the following announcement:

An Update on AMD Processor Security

http://www.amd.com/en/corporate/speculative-execution

[PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors

https://lkml.org/lkml/2017/12/27/2

Microsoft Security Advisory:

ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Microsoft Azure’s announcement:

Securing Azure customers from CPU vulnerability

https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

4073235 Microsoft Cloud Protections Against Speculative Execution

https://support.microsoft.com/en-us/help/4073235/cloud-protections-speculative-execution-side-channel-vulnerabilities

Microsoft Windows and Windows Server related information:

4072699 Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software

https://support.microsoft.com/?id=4072699

4073229 Protecting your device against chip-related security vulnerabilities

https://support.microsoft.com/?id=4073229

4073119 Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/?id=4073119

4072698 Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities

https://support.microsoft.com/?id=4072698

4073225 SQL Server Guidance to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/?id=4073225 

Summary:  5 steps:

1. Apply CPU microcode (firmware) update from the OEM hardware manufacturer.
2. Check with your AV vendor for antivirus compatibility before installing "Windows Update".

                 Note:  Windows Defender Antivirus and SCEP are compatible.

             3. Install "Windows Updates" from January 3rd, 2018.

             4.  Windows Server OS need to enable software mitigations.

• reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
• reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

             5.  On Hyper-V hosts, you will need shutdown (live migrate off) the Guest VM’s and add the following registry key on the Hyper-V Host:

• reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

FAQ:

Q:  Does the Host need to be patched first?  Or is it ok to patch the VM first?

A:  For the Windows patches, the order doesn't matter.

Q:  What does the following registry MinVmVersionForCpuBasedMitigations do?

A:  MinVmVersionForCpuBasedMitigations is "minimum VM version that needs access to the updated firmware capabilities"

     Source:
      Protecting guest virtual machines from CVE-2017-5715 (branch target injection)
      https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

Surface hardware related information:

4073065 Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

https://support.microsoft.com/?id=4073065

The Windows and Windows Server related hotfixes are available here:

http://www.catalog.update.microsoft.com/Search.aspx?q=2018-01

Windows 10 1709 and Windows Server 1709 (a.k.a. Fall’s Creators update, codename RS3):

4056892 January 3, 2018—KB4056892 (OS Build 16299.192)

2018-01 Update for Windows 10 Version 1709 (KB4058702)

https://support.microsoft.com/?id=4056892

Windows 10 1703 and Windows Server 1703 (a.k.a. Creators update, codename RS2):

4056891 January 3, 2018—KB4056891 (OS Build 15063.850)

https://support.microsoft.com/?id=4056891

Windows 10 version 1607 and Windows Server 2016 (a.k.a. Anniversary edition, codename RS1):

4056890 January 3, 2018—KB4056890 (OS Build 14393.2007)

https://support.microsoft.com/?id=4056890

Windows 10 version 1511 (a.k.a. November update, codename TH2):

4056888 January 3, 2018—KB4056888 (OS Build 10586.1356)

2018-01 Cumulative Update for Windows 10 Version 1511 (KB4056888)

https://support.microsoft.com/?id=4056888

Windows 10 version 1507 (a.k.a. RTM, codename TH1):

4056893 January 3, 2018—KB4056893 (OS Build 10240.17738)

2018-01 Cumulative Update for Windows 10 Version 1507 (KB4056893)

https://support.microsoft.com/?id=4056893

Windows 8.1 and Windows Server 2012 R2:

January 3, 2018—KB4056898 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2012 R2  (KB4056898)

https://support.microsoft.com/?id=4056898

Windows 7 SP1 and Windows Server 2008 R2:

4056897 January 3, 2018—KB4056897 (Security-only update)

2018-01 Security Only Quality Update for Windows Server 2008 R2 (KB4056897)

https://support.microsoft.com/?id=4056897

My PFE peers:

• Ralph Kyttle wrote the following PoSh (Powershell) DSM:

Verifying Spectre / Meltdown protections remotely

https://blogs.technet.microsoft.com/ralphkyttle/2018/01/05/verifying-spectre-meltdown-protections-remotely/

• Ken Wygant wrote and shared the following SCCM DCM baseline and it’s available for download here:

https://twitter.com/pfeken/status/950378010837995520

h.t.h.,

Yong

P.S.  The other ISV’s impacted by the issue:

Google’s announcement:

Today's CPU vulnerability: what you need to know

AWS’s announcement:

Processor Speculative Execution Research Disclosure

Redhat’s announcement:

Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

     Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715

Ubuntu’s announcement:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Suse’s announcement:

https://www.suse.com/support/kb/doc/?id=7022512

CoreOS:

https://twitter.com/CoreOSsecurity/status/948790591898361857

VMWare’s announcement:

https://blogs.vmware.com/security

Applies to:

Windows Server 2012 R2

Ephemeral port also known as (a.k.a.) Dynamic ports related hotfixes for “Windows Server 2012 R2”:

Install 3149157 Reliability and scalability improvements in TCP/IP for Windows 8.1 and Windows Server 2012 R2

https://support.microsoft.com/?id=3149157

tcpip.sys 6.3.9600.18264

3123245 Update improves port exhaustion identification in Windows Server 2012 R2

https://support.microsoft.com/kb/3123245

Netstat -anoq

// The q is the new switch backported from Windows Server 2016.

2897602 FIX: TCP connections that use ephemeral loopback addresses are dropped suddenly in Windows

https://support.microsoft.com/kb/2897602

//  For apps that uses loopback addresses (127.0.0.x)

I h.t.h.,

Yong

Reference(s):

Detecting ephemeral port exhaustion

https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/

Server "Hangs" and Ephemeral Port Exhaustion issues

https://blogs.technet.microsoft.com/kimberj/2012/07/06/server-hangs-and-ephemeral-port-exhaustion-issues/

Port Exhaustion and You (or, why the Netstat tool is your friend)

https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/

Dynamic Ports in Windows Server 2008 and Windows Vista (or: How I learned to stop worrying and love the IANA)

https://blogs.technet.microsoft.com/askds/2007/08/24/dynamic-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana/

For the Enterprises that are already not working on their Windows 10 upgrade, something to note.

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/

Yong

Milad Aslaner (PM for Devices and Mobility) posted:

How to disrupt attacks caused by social engineering

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/how-to-disrupt-attacks-caused-by-social-engineering/

For those of you that are parents, family members, and/or neighbors and want to get kids involved on a STEM program such as coding, we (Microsoft) have a website where they could get started:

https://makecode.com/

For more information:

Microsoft Coding for Kids!!!

https://blogs.msdn.microsoft.com/smallbasic/2016/12/09/microsoft-coding-for-kids/

Announcing Microsoft MakeCode for Circuit Playground Express

https://educationblog.microsoft.com/2017/05/announcing-microsoft-makecode-for-circuit-playground-express/#GHF52xLhoSORwyCs.99

Deploy & Code In Minecraft

https://blogs.technet.microsoft.com/nzedu/2017/11/02/deploy-code-in-minecraft/

Microsoft MakeCode.com Perfect for inspiration and starting a development journey

https://blogs.msdn.microsoft.com/uk_faculty_connection/2017/05/19/microsoft-makecode-com-perfect-for-inspiration-and-starting-a-development-journey/

https://blogs.msdn.microsoft.com/uk_faculty_connection/tag/stem/

Yong

Imad Balute and his team of “Modern Desktop” “Technology Professionals” have a new blog called “Show Me Windows”.

Here is the link to their first post.  Don’t forget to bookmark it or add it to your RSS feed.

How to enable Bitlocker and escrow the keys to Azure AD when using AutoPilot for standard users

https://blogs.technet.microsoft.com/showmewindows/2018/01/18/how-to-enable-bitlocker-and-escrow-the-keys-to-azure-ad-when-using-autopilot-for-standard-users/

Enjoy,

Yong

Hello everyone,

Imad Balute (Technology Professional). started his own personal Technet blog post.

Check it out at:

Add your logo to MBAM Helpdesk and SelfService

https://blogs.technet.microsoft.com/ibalute/2018/01/27/add-your-logo-to-mbam-helpdesk-and-selfservice/

Applies to:

Windows Server 2016 with Bitlocker

Windows 10 with Bitlocker

Windows 2012 R2 with Bitlocker

Windows 8.1 with Bitlocker

Windows 2012 with Bitlocker

Windows 8 with Bitlocker

Windows 2008 R2 with Bitlocker

Windows 7 SP1 with Bitlocker

Yong

P.S.  Imad’s team Technet blog:

[Cross-Post] The “Modern Desktop” “Technology Professionals” have a new blog.

https://blogs.technet.microsoft.com/yongrhee/2018/01/18/cross-post-the-technology-professionals-have-a-new-modern-desktop-blog/

My peer Lee Stevens has the following new blog post that you all might be interested in:

PS without BS: Removing WMI Queries from GPMC

https://blogs.technet.microsoft.com/leesteve/2018/02/05/ps-without-bs-removing-wmi-queries-from-gpmc/

From St. Louis, MO.,

Yong

Applies to:

Windows Server 1709

Windows 10 1709

Windows 10 1703

Does not work on built-in WPR.exe:

Windows Server 2016

Note:  Doesn’t not have the -onoffscenario option

Windows 10 1607

Note:  Doesn’t not have the -onoffscenario option

I had gone through how to capture a boot and logon trace using the GUI (WPRUI) in the following blog post:

How to collect a good boot trace on Windows 10 or Windows Server 2016 using WPRUI.

https://blogs.technet.microsoft.com/yongrhee/2017/10/10/how-to-collect-a-good-boot-trace-on-windows-10-or-windows-server-2016-using-wprui/

In this post, we are going to go through the built-in WPR.exe process that I had mentioned:

Windows Performance Recorder (WPR.exe) now inbox in Windows 10.

https://blogs.technet.microsoft.com/yongrhee/2015/08/04/windows-performance-recorder-wpr-exe-now-inbox-in-windows-10/

Combining WPR.exe and the boot and logon:

Start, CMD (Run As Admin)

wpr.exe -start CPU -start DiskIO -start FileIO -start Registry -start Network -start Minifilter -onoffscenario boot -onoffresultspath c:\temp -onoffproblemdescription SlowBootSlowLogon -numiterations 1

<Reboots the machine>

Login as soon as possible

wpr.exe -stop c:\temp\%computername%_slow_boot_slow_logon.etl

View the output .etl trace in WPA.exe (Windows Performance Analyzer).

Yong

Applies to:

Windows 10/ 2016

Windows 8.1/ 2012 R2

Windows 8 / 2012

Windows 7 SP1/ 2008 R2

Problem description:

==============

Windows Server 2016 Hyper-V Failover Cluster (but this would apply to any modern Windows and Windows Server)

Randomly, name resolution fail.  The issue just started recently.

The Windows based systems are getting an IPv6 address even though the network is an IPv4 based.

The DNS server is only resolving IPv4 based IP addresses which is by design in this customer environment (and 99% of the environments out there).

Cause:

====

A network trace (Message Analyzer/Wireshark) showed that the device with the MAC address, [00-1A-1E-01-43-65], was sending Router Advertisement in the network segment.

This MAC address belonged to a Wireless Access Point (WAP) that one of the networking administrators was testing to see the capabilities.

It just happened that it was not configured (default setting) and started broadcasting IPv6 addresses.

Background:

==========

To ‘prevent’ this type of issue, normally the common thing for IT administrators to do is to disable ipv6 in the network adapter.

Control Panel\Network and Internet\Network Connections

Right-click on a network adapter

Click on “Properties”

Uncheck the box for "Internet Protocol Version 6 (TCP/IPv6)"

Warning:  This is unsupported by us (Microsoft)

The supported work-around that many IT administrators end-up using is described in:

929852 How to disable IPv6 or its components in Windows

https://support.microsoft.com/?id=929852

Since the different component owners in the Product Group don’t test with IPv6 disabled, I was wondering, is/are there a better way of keeping IT administrators from shooting themselves on the foot while also providing the availability?

Investigation:

===========

Windows Vista and Windows Server 2008 and newer OS’es implements RFC 3484  and uses a prefix table to determine which address to use when multiple addresses are available for a name.

By default, it favors IPv6 global unicast addresses over IPv4 addresses.

969029 The functionality for source IP address selection in Windows Server 2008 and in Windows Vista differs from the corresponding functionality in earlier versions of Windows

https://support.microsoft.com/?id=969029

              For information about RFC 3484:

              Default Address Selection for Internet Protocol version 6 (IPv6)

              http://tools.ietf.org/html/rfc3484

RFC 4291 will let you set ipv4 precedence over ipv6

              Using SIO_ADDRESS_LIST_SORT

              https://msdn.microsoft.com/en-us/library/windows/desktop/ms740614(v=vs.85).aspx

                           For information about RFC 4291:

                           IP Version 6 Addressing Architecture

                           http://tools.ietf.org/html/rfc4291

Start, CMD (Run As Admin)

netsh interface ipv6 show prefixpolicies

Note that higher precedence in prefix policies is represented by a lager "precedence" value, exactly opposite to routing table "cost" value.

        40      1  ::/0

        30      2  2002::/16

        20      3  ::/96

        10      4  ::ffff:0:0/96

Note that IPv6 addresses (::/0) are preferred over IPv4 addresses (::/96, ::ffff:0:0/96).

We can create a policy that will make Contoso IPv6 tunnel less favorable than any IPv4 address:

netsh interface ipv6 add prefixpolicy 2001:470::/32 3 6

2001:470::/32 is Contoso's prefix, 3 is a Precedence (very low) and 6 is a Label.

Recommendation:

================

The moral of the story is, don’t disable IPv6.  Use the “Prefer IPv4 over IPv6” if you must.

Option 1:

Use the “Prefer Ipv4 over IPv6” using the custom .admx here:

How to Disable IPv6 through Group Policy

https://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx

Option 2:

OR use GPP to set the Disabled Components for “Prefer IPv4 over IPv6”

929852 How to disable IPv6 or its components in Windows

https://support.microsoft.com/?id=929852

Option 3:

OR if in individual machines:

Instead of manually configuring these settings, there is a fix it:

2533454 Resolving Internet connectivity issues after World IPv6 Launch (June 6, 2012)

https://support.microsoft.com/?id=2533454

Yong “Hailing from Long Beach, CA. today”.

Other “Stop hurting yourself by” posts:

WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”

https://blogs.technet.microsoft.com/yongrhee/2016/06/23/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s/

Applies to:

Windows 10 1803 ((tbd))

Windows 10 1709 (Fall Creators update)

Windows 10 1703 (Creators update)

Windows 10 1607 (Anniversary update) / Windows Server 2016

Windows 10 1511 (November update)

Windows 10 1507 (RTM)

[Problem description]

• Start Menu does not work at all.
• Start Menu (and cortana) will become unresponsive, leaving users without a working Start Menu

Q:  Moving forward we can no longer expect CopyProfile to set the Start Layout, pined Items and customized backgrounds? Is that correct?

A:  That is correct.  "The Start Menu Product Group does not support customizing the Start layout with copyprofile."

“Using CopyProfile for Start menu customization isn't supported. Here are the ways to manage custom Start layouts in Windows 10:

• OEMs can use layoutmodification.xml. See Customize the Start layout for more information.
• IT pros can use the following resources learn about managing the Windows 10 Start Menu:
  • Customize Windows 10 Start and taskbar with Group Policy
  • Windows 10 Start Layout Customization”

Source:

Customize the Default User Profile by Using CopyProfile
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile

Q:  Are other portions of CopyProfile still supported in Windows 10?

A:  Yes, everything in CopyProfile except the “Start Menu” and “Taskbar” layout are supported in Windows 10.

[Solution]

Q:  What’s the alternative to customize the “Start Menu” during a deployment or imaging?

A:  Use the Group Policy:

User or Computer / Administrative Templates/Start Menu and Taskbar/Start Layout

Source:

Configure Windows 10 taskbar

Manage Windows 10 Start and taskbar layout

Pimp my Windows 10 – Business Customization Reference

https://blogs.technet.microsoft.com/ash/2016/03/07/pimp-my-windows-10-business-customization-reference/

Q:  How does it work?

A:  Import-Startlayout modifies the default user profile. All new users that login after import-startlayout has been run will get the new StartLayout.

Q:  I want to be able to 'force' some items to be pinned but I also want my end-users to be able to customize their own apps in the Start Menu.

A:  To be able to get the end-users to pin their own Start-menu items, there is a ‘Partial Lockdown’ where you need to specify “OnlySpecifiedGroups”

Locate the <DefaultLayoutOverride> section and add a parameter as detailed below.

<DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”>

Source:

Customize and export Start layout
https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout

Windows 10 Start Layout Customization

https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/

Yong (Hailing from Baton Rouge, Louisiana).

Applies to:

Windows 10 1803 ((tbd))

Windows 10 1709 (Fall Creators update)

Windows 10 1703 (Creators update)

Windows 10 1607 (Anniversary update) / Windows Server 2016

Does not apply to:

Windows 10 1511 (November update)

Windows 10 1507 (RTM)

While I was in Oxnard, California. the following topic came up.

Before you read this, you want to make sure that you go through:

Demystifying “Dual Scan”

https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/

Improving Dual Scan on 1607

https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

Using ConfigMgr With Windows 10 WUfB Deferral Policies

https://blogs.technet.microsoft.com/configurationmgr/2017/10/10/using-configmgr-with-windows-10-wufb-deferral-policies/

Once you have read the 3 blog post above, continue for this particular issue.

[Problem description]

If you have “Windows 10 1607” deployed in Semi-Annual Channel (used to be known as (u.t.b.k.a) Current Branch for Business (CBB)).

And have:

• WSUS set to not deploy “Windows 10 1703” or “Windows 10 1709”.
• According to Improving Dual Scan on 1607, KB4034658 (August 2017 Cumulative update) introduces a new GPO ("Do not allow update deferral policies to cause scans against Windows Update").

https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

And if you have the October 2017 Cumulative update KB4041691 installed.

And these other hotfixes:

KB3186568

KB4013418

KB4023834

KB4033637

KB4035631

KB4038806

KB4051613

• And we have set the "Do not allow update deferral policies to cause scans against Windows Update" in the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

"DisableDualScan"=dword:00000001

Expectation:

              When going to “Windows Update”

              When clicking on “Check online for updates from Microsoft Update”

              Result:

To not see “Feature Update to Windows 10, 1703” being offered.

Result:

              “Feature Update to Windows 10, 1703” is being offered.

[Cause]

Why? 

Windows 10 1607 allows deferment of the feature update for 180 days.

You can only defer up to 180 days prior to version 1703.

You are falling under this below with the manual/adhoc scans against MU:

“Windows updates from WSUS, supplemental updates from WU - the "on-premises" scenario. Here you expect your users to perform ad hoc scans every so often to get updates that are necessary, but have not been deployed by the enterprise admins. You want quality updates, but do not want feature updates offered during these scans. The policy to disable Dual Scan was created for this scenario: you can enable the new policy, along with your deferral policies, and those deferral policies will only take effect when scanning against Windows [or Microsoft] Update.”

How can you check if DualScan is set?

              Powershell (Run As Admin)

$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”

$MUSM.Services 

IsDefaultAUService

True for "Windows Server Update Service"

False for "Windows Update"

then the following could be causing it:

HKLM\Software\Microsoft\WindowsUpdate\UX\Settings\DeferUpgrade=1

// Was not set.

And/or

HKLM\Software\Microsoft\WindowsUpdate\UX\Settings\BranchReadinessLevel=32

// Was not set.

Source:

Configure Windows Update for Business

https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb

Why this could be a problem?

· If you are using a 3^rd party encryption, thus, when this is deployed w/o the ‘/reflecteddrivers’ switch and the ‘compatible’ 3^rd party encryption upper filter drivers, it can bricked your system.

· They have in-house apps that are not yet “Windows 10 1703” ‘compatible’, thus need additional time before you upgrade.

[Solution]

Blocking access to “Windows update” via:

• Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to all Windows Update features

or

• User Configuration\Administrative Templates\Start Menu and Taskbar\Remove links and access to Windows Update

Note:

• Windows UI

  • HKLM\Software\Microsoft\WindowsUpdate\UX\Settings\
• Group Policy
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
• MDM (CSP by SCCM 1706 WUfB policy, Intune, or other MDM Providers)
  • HKLM\Software\Microsoft\PolicyManager\current\device\Update

What do you lose if you disable “Windows Updates”?

· Update drivers (e.g. Print drivers, etc…)

· Universal apps (Windows Store apps)

Thanks.

Yong

Applies to:

Windows 8.1/Windows 2012 R2

Windows 8/Windows 2012

Windows 7 SP1/Windows 2008 R2 SP1

Windows Vista/Windows 2008

Does not apply to:

Windows 10 1803 ((tbd))

Windows 10 1709 (Fall Creators update)

Windows 10 1703 (Creators update)

Windows 10 1607 (Anniversary update) / Windows Server 2016

Windows 10 1511 (November update)

Windows 10 1507 (RTM)

I was on-site this year (2018) and I had heard the following:

"We don’t always install hotfixes; We install hotfixes if that specific problem is experienced in the environment. Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install. KBxxxxxx is entirely optional and doesn’t show up in the WSUS catalog, another reason why we never caught wind of it."

Regarding item #1: "We install hotfixes if that specific problem is experienced in the environment".

Answer #1:  The truth is, you probably have the issue, and just haven’t gotten to it.  It requires a lot of time investment by using advanced tools such as Sysinternals/ETL tracing (WPRUI/WPR/Xperf), WinDbg (or DebugDiag)/Message Analyzer (or Wireshark or Netmon) and other logs.  Or you are understaffed and are not able to take the time to fix the issue.

A lot of companies just end-up rebooting the system or rebuilding the system(s).

Regarding item #2: "Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install."

Answer #2:  Probably the reason that your servers are not 'stable'.

Recommended hotfixes and updates for Windows Server 2012 R2-based failover clusters

https://support.microsoft.com/en-us/help/2920151/recommended-hotfixes-and-updates-for-windows-server-2012-r2-based-fail

Recommended hotfixes and updates for Windows Server 2012-based failover clusters

https://support.microsoft.com/en-us/help/2784261/recommended-hotfixes-and-updates-for-windows-server-2012-based-failove

Recommended hotfixes and updates for Windows Server 2008 R2 SP1 Failover Clusters

https://support.microsoft.com/en-us/help/2545685/recommended-hotfixes-and-updates-for-windows-server-2008-r2-sp1-failov

Recommended hotfixes for Windows Server 2008-based server clusters

https://support.microsoft.com/en-us/help/957311/recommended-hotfixes-for-windows-server-2008-based-server-clusters

List of currently available hotfixes for the File Services technologies in Windows Server 2012 and in Windows Server 2012 R2

https://support.microsoft.com/en-us/help/2899011/list-of-currently-available-hotfixes-for-the-file-services-technologie

List of Domain Controller Related Hotfixes Post RTM for Windows 8.1 and Windows Server 2012 R2 (Part 2)

https://social.technet.microsoft.com/wiki/contents/articles/26177.list-of-domain-controller-related-hotfixes-post-rtm-for-windows-8-1-and-windows-server-2012-r2-part-2.aspx

etc...

Regarding item #3: KBxxxxxx is entirely optional and doesn’t show up in the WSUS catalog

Answer #3:  Yes, and hopefully you were getting the RSS feeds regarding the newly released (non-security and security) hotfixes:

Most recent hotfixes RSS feed.

https://blogs.technet.microsoft.com/yongrhee/2013/06/27/most-recent-hotfixes-rss-feed/

For example, if there was a "Service Pack 3" for Windows 7 SP1 and Windows Server 2008 R2 SP1, would you have not installed it?

“Enterprise” Convenience Rollup Update II (2) for Windows 7 SP1 and Windows Server 2008 R2 SP1

https://blogs.technet.microsoft.com/yongrhee/2016/05/20/enterprise-convenience-rollup-update-ii-2-for-windows-7-sp1-and-windows-server-2008-r2-sp1/

All of that lead to:

Further simplifying servicing models for Windows 7 and Windows 8.1

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

More on Windows 7 and Windows 8.1 servicing changes

https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

Regarding item #4: But the KB article has the following statement:

"A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem."

Answer #4: It's a 'boiler' template.  A lot of times, the same binary has been updated multiple times.

Let me give you a real world example.  A Premier opened a case due to their server bugchecking (a.k.a. BSOD), they got a non-security update created for them.  The company was big enough and segmented enough, that their peers opened 11 more cases with the same bugcheck and the fix was the same.  So why wouldn't you have deployed it to all the server in the environment?

Q:  How do I roll these fixes out?

A:  Like you would have done in the past when you were doing a “Service Pack”.  Target the IT folks first.  Then try a few of your power users in each department in your company.  Never have your C-Level executives test, unless you want to spend time working on executive escalations.  And then continued with the phased deployment.

[Solution]

In Windows 10 and Windows Server 2016 and newer, that is why Windows As A Service (WaaS) is there.

You get all the "Security updates" and "Non-security update" via the cumulative rollup.

Overview of Windows as a service

https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview

Quick guide to Windows as a service

https://docs.microsoft.com/en-us/windows/deployment/update/waas-quick-start

Thanks,

Yong “Working from home in the Museum district in Los Angeles, CA.”

Other “Stop hurting yourself by” posts:

Stop hurting yourself by: Disabling IPv6, why do you really do it?

https://blogs.technet.microsoft.com/yongrhee/2018/02/28/stop-hurting-yourself-by-disabling-ipv6-why-do-you-really-do-it-2/

WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”

https://blogs.technet.microsoft.com/yongrhee/2016/06/23/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s/

Applies to:

Windows 10 1803 (tbd, codename RS4)

Windows 10 1709 (Fall Creators update, codename RS3)

Windows 10 1703 (Creators update, codename RS2)

Windows 10 1607 (Anniversary update, codename RS1) / Windows Server 2016 (codename RS1)

Windows 10 1511 (November update, codename TH2)

Windows 10 1507 (RTM, codename TH1)

Windows 8.1/Windows 2012 R2

Windows 8/Windows 2012

Windows 7 SP1/Windows 2008 R2 SP1

Windows Vista/Windows 2008

As a Premier Field Engineer (PFE), I get to go on-site and from time to time, I get to troubleshoot Windows and Windows Servers that are having reliability and performance problems.

Q: When should you update your driver(s) and firmware?

A:

• When a new piece of hardware you've installed doesn't work automatically

or

• When a hardware is generating an error, like a Device Manager error code

or

• if you're troubleshooting a problem with the device

or

• if a driver update enables new features you'd like to utilize.
  • Windows client: (e.g. video cards and sound cards.)
  • Windows Server: (e.g. NIC, Storage/HBA)

or

• maybe before/after upgrading to a new version of Windows.

or

• a security flaw in the driver(s)/firmware

The most common scenario is the following:

"We update the driver(s) and firmware when the image of Windows and/or Windows Server are built."

Q: How often do you guys update the driver(s) and firmware?

A: We never do once the machine is imaged.

Q: How long do you guys keep your hardware in production?

A: 3-6 years or longer.

Q: What if you are having a Bug Check (a.k.a. Stop Error, Blue Screen of Death (BSOD), and for you *nix IT admin's Kernel Panic), the easiest thing to do what?

1. Option 1: Update the driver(s)/firmware and/or
2. Option 2: Update the security products and/or
3. Option 3: Get a kernel memory dump and analyze it.

A: It's Option 1. Update the driver(s)/firmware.

If you want to get root cause, setup for a kernel and/or complete memory dump (or Active memory dump on Windows Server 2016):

Coming soon: How to generate a kernel or a complete memory dump file in Windows Server 2012 and Windows Server 2012 R2

https://blogs.technet.microsoft.com/yongrhee/2015/04/05/coming-soon-how-to-generate-a-kernel-or-a-complete-memory-dump-file-in-windows-server-2012-and-windows-server-2012-r2/

Scenario 1: An I.T. administrator was troubleshooting a Print Server related issue, where the Windows clients were having problems connecting to the \\PrintServer\PrinterShare.  The issue was with a 3rd party network .dll that hooked into the SMB (CIFS) components which was fixed via an update to their Virtualization drivers (equivalent to a Hyper-V Integration tools).

Scenario 2: An I.T. administrator had a Windows Server, for troubleshooting purposes he disabled the on-board NIC's. But when he went to re-enable the on-board NIC's, it wouldn't turn on. This specific Server hardware manufacturer had an issue with their firmware. The hardware manufacturer had to replace the motherboard. There was a firmware update that had been out for 6+ months that would have prevented this issue from occurring.

Scenario 3: A Windows Server was dropping network packets. The fix was to update the NIC driver where the problem would no longer occur.

Scenario 4: A Windows Server was dropping buffers (nonpaged pool kernel memory) when we were trying to collect a "Storport ETW trace" while using the "Windows Performance Recorder UI (WPRUI))" trace of their slow disk i/o on SAN attached volumes. We updated the SCSI controller and the buffer dropping went away.

Scenario 5:  An I.T. shop had replaced their Windows clients with all SSD drives. There was a caveat, it had shipped with an issue where if it had written/read x MB of data, it would 'brick' the SSD. The fix was in a firmware update.

Scenario 6: A SSD firmware update would let you go from 250 MB/sec reads to 500 MB/sec reads. Yes, just a firmware update on the SSD. Why wouldn't you take advantage of it?

Scenario 7: A Windows client was observing random erroneous behavior, once we updated the Storage Controller driver, the symptoms went away.

Etc…

Q: How often should we look for a driver(s)/firmware update?

A: At a minimum every (1) year (12 months).

Q: So how do we update the driver(s)/firmware on our environment?

A: There are many methods, please check with your hardware manufacturer.

Here are a few examples:

Friday Support: How to update your drivers and software

https://blogs.technet.microsoft.com/smallbusiness/2013/03/08/friday-support-how-to-update-your-drivers-and-software/

Updating Firmware for Disk Drives in Windows Server 2016 (TP4)

https://blogs.technet.microsoft.com/filecab/2016/01/25/updating-firmware-for-disk-drives-in-windows-server-2016-tp4/

Keeping Surface Firmware Updated with Configuration Manager

https://blogs.technet.microsoft.com/thejoncallahan/2016/06/20/keeping-surface-firmware-updated-with-configuration-manager/

Q: How do we roll it out?

A: In the same phased approach.

• First, test it on a Test/QA environment.
• Second, test it on the IT admin's (if they have the hardware)
• Third, test it 'non-mission critical' systems.
• Fourth, do a segment of the hardware at a time.

And by the way, for the folks that want a 'root cause', if it's a "Windows Client or Windows Server", and it's really 'mission critical', why wait until the problem 'reoccurs'.

• Usually the immediate task in hand is restoring service.
• The 2nd task is, a plan to collect data to determine why it happened and what can you do to prevent the issue from reoccurring in the future.

Thanks,

Yong (In Dallas, TX. for a couple of days)

P.S. Other “Stop hurting yourself by” posts:

Stop hurting yourself by: Not applying the non-security updates for Windows and Windows Server.

https://blogs.technet.microsoft.com/yongrhee/2018/03/12/stop-hurting-yourself-by-not-applying-the-non-security-updates-for-windows-and-windows-server/

Stop hurting yourself by: Disabling IPv6, why do you really do it?

https://blogs.technet.microsoft.com/yongrhee/2018/02/28/stop-hurting-yourself-by-disabling-ipv6-why-do-you-really-do-it-2/

WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”

https://blogs.technet.microsoft.com/yongrhee/2016/06/23/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s/

More information:

Windows 10 – Audio Troubleshooting Tips

https://blogs.technet.microsoft.com/mediaq/2015/07/30/windows-10-audio-troubleshooting-tips/

When deploying Windows 7 the Apply Driver Package task fails when the ADK is upgraded to the ADK 10 1607 or newer

https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/12/28/apply-driver-package-task-fails-when-the-adk-is-upgrade-to-adk-10-1607/

Surface Pro with LTE Advanced Drivers and Firmware (Initial Release)

https://blogs.technet.microsoft.com/surface/2017/12/02/surface-pro-with-lte-advanced-drivers-and-firmware-initial-release/

August Driver updates for Windows 10 help you get more from your Surface devices

https://blogs.technet.microsoft.com/surface/2015/08/24/august-driver-updates-for-windows-10-help-you-get-more-from-your-surface-devices/

November Firmware and Driver updates for your Surface devices

https://blogs.technet.microsoft.com/surface/2015/11/04/november-firmware-and-driver-updates-for-your-surface-devices/

June Firmware and Driver updates help you get more from your Surface devices

https://blogs.technet.microsoft.com/surface/2015/06/26/june-firmware-and-driver-updates-help-you-get-more-from-your-surface-devices/

Tip of the Day: Updating Surface Pro Firmware Offline

https://blogs.technet.microsoft.com/tip_of_the_day/2015/06/18/tip-of-the-day-updating-surface-pro-firmware-offline/

Firmware and Driver updates to get more from your Surface devices

https://blogs.technet.microsoft.com/surface/2015/01/16/firmware-and-driver-updates-to-get-more-from-your-surface-devices/

15048 Update a driver for hardware that isn't working properly

https://support.microsoft.com/?id=15048

15054 Automatically get recommended drivers and updates for your hardware

https://support.microsoft.com/?id=15054