deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20230210-tier-tagging

Browse Source
This commit is contained in:
Stephanie Savell 2023-02-10 13:03:27 -06:00 committed by GitHub
commit 0415f85a2e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 167 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 01/17/2023
ms.date: 02/10/2023
ms.topic: how-to
---
@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met:
1. On the *Service provider details* page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes

2
windows/deployment/do/TOC.yml
View File

@ -55,7 +55,7 @@
items:
- name: Frequently Asked Questions
href: mcc-isp-faq.yml
- name: Enhancing VM performance
- name: Enhancing cache performance
href: mcc-isp-vm-performance.md
- name: Support and troubleshooting
href: mcc-isp-support.md

BIN
windows/deployment/do/images/mcc-isp-create-resource-fields.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
windows/deployment/do/images/mcc-isp-create-resource-validated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

26
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -12,7 +12,7 @@ ms.technology: itpro-updates
# Appendix
## Steps to obtain an Azure Subscription ID
## Steps to obtain an Azure subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco
- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
## Installing on VMWare
## Hardware specifications
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made:
Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache.
### Installing on VMware
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made:
1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
### Installing on Hyper-V
To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization).
## Diagnostics Script
@ -65,17 +73,17 @@ communication operations. The runtime performs several functions:
For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
## Routing local Windows Clients to an MCC
## Routing local Windows clients to an MCC
### Get the IP address of your MCC using ifconfig
There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
#### Registry Key
#### Registry key
You can either set your MCC IP address or FQDN using:
1. Registry Key (version 1709 and later):
1. Registry key (version 1709 and later):
`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
</br>
"DOCacheHost"=" "
@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
```
1. MDM Path (version 1809 and later):
1. MDM path (version 1809 and later):
`.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using:
:::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
**Verify Content using the DO Client**
## Verify content using the DO client
To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:

19
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -31,18 +31,18 @@ To deploy MCC to your server:
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
### Provide Microsoft with the Azure Subscription ID
### Provide Microsoft with the Azure subscription ID
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
:::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
## Verify proper functioning MCC server
#### Verify Client Side
#### Verify client side
Connect to the EFLOW VM and check if MCC is properly running:
@ -305,21 +305,16 @@ sudo iotedge list
:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command:
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
```bash
sudo journalctl -u iotedge -f
```
For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start.
This command will provide the current status of the starting, stopping of a container, or the container pull and start.
:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
Use this command to check the IoT Edge Journal
```bash
sudo journalctl -u iotedge -f
```
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.

6
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -24,13 +24,12 @@ ms.technology: itpro-updates
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
**EFLOW Requires Hyper-V support**
**EFLOW requires Hyper-V support**
- On Windows client, enable the Hyper-V feature
- On Windows Server, install the Hyper-V role and create a default network switch
@ -44,6 +43,7 @@ ms.technology: itpro-updates
VM networking:
- An external virtual switch to support outbound and inbound network communication (created during the installation process)
1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
## Sizing recommendations

16
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -10,7 +10,7 @@ ms.date: 12/31/2017
ms.technology: itpro-updates
---
# Create, Configure, provision, and deploy the cache node in Azure portal
# Create, configure, provision, and deploy the cache node in Azure portal
**Applies to**
@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi
1. Enter the max allowable egress that your hardware can support.
1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes.
**Note:** Up to nine cache drives are supported.
1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes.
**Note:** This is a **required** field. Up to nine cache drive folders are supported.
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t
1. Copy and paste the script command line shown in the Azure portal.
1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
> [!NOTE]
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
### General configuration fields
@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t
### Storage fields
> [!IMPORTANT]
> All cache drives must have read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive`
> All cache drives must have full read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder`
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. |
| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.|
| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
### Client routing fields

10
windows/deployment/do/mcc-isp-faq.yml
View File

@ -69,8 +69,6 @@ sections:
answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
- question: What CDNs will Microsoft Connected Cache pull content from?
answer: |
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
@ -82,3 +80,11 @@ sections:
$ whois 13.107.4.50|grep "Organization:"
Organization: Microsoft Corporation (MSFT)
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic?
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).

65
windows/deployment/do/mcc-isp-signup.md
View File

@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for
## Prerequisites
Before you begin sign up, ensure you have the following components:
- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/).
- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS.
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace.":::
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png":::
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource.
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
:::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png":::
> [!IMPORTANT]
> After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information.
After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**.
:::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png":::
1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**.
:::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png":::
1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for.
:::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png":::
@ -50,6 +66,9 @@ Before you begin sign up, ensure you have the following components:
:::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
> [!NOTE]
> **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Heres your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
<!--## Traffic estimation
@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components:
During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal.
We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). -->
### Cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
### Virtual machines
Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance.

30
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -16,6 +16,28 @@ ms.technology: itpro-updates
This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes.
## Verify cache node installation is complete
Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers):
```bash
sudo iotedge list
```
:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png":::
If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command:
```bash
sudo iotedge system logs -- -f
```
For example, this command provides the current status of the starting and stopping of a container, or the container pull and start:
:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png":::
You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching.
## Verify functionality on Azure portal
Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue.
@ -48,6 +70,14 @@ http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup
If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article.
## Verify BGP routing configuration
To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for.
Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising.
If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly.
## Monitor cache node health and performance
Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance.

40
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -1,5 +1,5 @@
---
title: Enhancing VM performance
title: Enhancing cache performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
ms.prod: windows-client
@ -10,11 +10,41 @@ ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Enhancing virtual machine performance
# Enhancing cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
## Enhancing virtual machine performance
In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings.
## Virtual machine settings
### Virtual machine settings
Change the following settings to maximize the egress in virtual environments:
@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments:
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment.
## Next steps
[Support and troubleshooting](mcc-isp-support.md)

19
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -1,13 +1,12 @@
---
title: Microsoft Connected Cache overview
manager: dougeby
manager: aaroncz
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
ms.prod: windows-client
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
---
@ -20,13 +19,21 @@ ms.date: 12/31/2017
- Windows 11
> [!IMPORTANT]
> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal.
## Microsoft Connected Cache for ISPs (preview)
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Microsoft Connected Cache for Enterprise and Education (early preview)
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. Its built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
## IoT Edge
Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
## Next steps
- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md)

33
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -27,13 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
## Azure AD Kerberos and cloud Kerberos trust authentication
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require a PKI to request TGTs.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
@ -44,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r
For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
> [!IMPORTANT]
> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Prerequisites
@ -72,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
## Deployment steps
Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps:
Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up *Azure AD Kerberos*
1. Set up Azure AD Kerberos
1. Configure a Windows Hello for Business policy and deploy it to the devices
### Deploy Azure AD Kerberos
@ -85,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl
### Configure Windows Hello for Business policy
After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -115,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog.
### Configure cloud Kerberos trust policy
To configure the *cloud Kerberos trust* policy, follow the steps below:
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
@ -155,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective
#### Create the Windows Hello for Business group policy object
You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO).
You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
1. Edit the Group Policy object from Step 1
@ -167,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke
---
> [!IMPORTANT]
> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*.
> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
## Provision Windows Hello for Business
@ -195,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
### Sign-in
Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
## Migrate from key trust deployment model to cloud Kerberos trust
If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps:
If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
@ -208,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
>
> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails.
> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
## Migrate from certificate trust deployment model to cloud Kerberos trust
> [!IMPORTANT]
> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps:
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
> [!NOTE]
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users:
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).

6
windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match.
## What happens when PCR banks are switched?
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker or have y
## How can I identify which PCR bank is being used?
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
- DWORD: TPMActivePCRBanks<br>