deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'release-win11-2309' of https://github.com/MicrosoftDocs/windows-docs-pr into cz-7595273-deployhub

Browse Source
This commit is contained in:
Aaron Czechowski
2023-09-26 08:54:53 -07:00
parent 1bd09ea873 254c57c340
commit 0b15eda46a
1585 changed files with 35013 additions and 35238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/deployment/TOC.yml
View File

@ -19,8 +19,6 @@
href: update/waas-servicing-strategy-windows-10-updates.md
- name: Deployment proof of concept
items:
- name: Demonstrate Autopilot deployment on a VM
href: windows-autopilot/demonstrate-deployment-on-vm.md
- name: Deploy Windows 10 with MDT and Configuration Manager
items:
- name: 'Step by step guide: Configure a test lab to deploy Windows 10'
@ -103,7 +101,9 @@
- name: Deploy Windows client
items:
- name: Deploy Windows client with Autopilot
href: windows-autopilot/index.yml
href: /autopilot/
- name: Windows deployment scenarios and tools
href: windows-deployment-scenarios-and-tools.md
- name: Deploy Windows client with Configuration Manager
items:
- name: Deploy to a new device
@ -138,10 +138,6 @@
items:
- name: Assign devices to servicing channels
href: update/waas-servicing-channels-windows-10-updates.md
- name: Deploy updates with Configuration Manager
href: update/deploy-updates-configmgr.md
- name: Deploy updates with Intune
href: update/deploy-updates-intune.md
- name: Deploy updates with WSUS
href: update/waas-manage-updates-wsus.md
- name: Deploy updates with Group Policy
@ -172,8 +168,6 @@
href: update/waas-integrate-wufb.md
- name: 'Walkthrough: use Group Policy to configure Windows Update for Business'
href: update/waas-wufb-group-policy.md
- name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business'
href: update/deploy-updates-intune.md
- name: Windows Update for Business deployment service
items:
- name: Windows Update for Business deployment service overview
@ -597,3 +591,5 @@
- name: Install fonts in Windows client
href: windows-10-missing-fonts.md
- name: Customize Windows PE boot images
href: customize-boot-image.md

89
windows/deployment/add-store-apps-to-image.md
View File

@ -1,89 +0,0 @@
---
title: Add Microsoft Store for Business applications to a Windows 10 image
description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Add Microsoft Store for Business applications to a Windows 10 image
*Applies to:*
- Windows 10
This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
> [!IMPORTANT]
> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
## Prerequisites
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
> [!NOTE]
> If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**.
## Adding a Store application to your image
On a machine where your image file is accessible:
1. Open Windows PowerShell with administrator privileges.
2. Mount the image. At the Windows PowerShell prompt, enter:
`Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter:
`Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
> Do not dismount the image, as you will return to it later.
## Editing the Start Layout
In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
On a test machine:
1. **Install the Microsoft Store for Business application you previously added** to your image.
2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
3. Open Windows PowerShell with administrator privileges.
4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
Now, on the machine where your image file is accessible:
1. Import the Start layout. At the Windows PowerShell prompt, enter:
`Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
2. Save changes and dismount the image. At the Windows PowerShell prompt, enter:
`Dismount-WindowsImage -Path c:\test -Save`
> [!NOTE]
> Paths and file names are examples. Use your paths and file names where appropriate.
>
> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
## Related articles
- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
- [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
- [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)

1285
windows/deployment/customize-boot-image.md Normal file
View File

File diff suppressed because it is too large Load Diff

34
windows/deployment/deploy.md
View File

@ -1,34 +0,0 @@
---
title: Deploy Windows 10 (Windows 10)
description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
manager: aaroncz
author: frankroj
ms.author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Deploy Windows 10
Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and articles are available.
|Article |Description |
|------|------------|
|[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |This article provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. |
|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Configuration Manager in your environment, you'll most likely want to use it to deploy Windows 10. This article will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). |
|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install more fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
## Related articles
[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)

2
windows/deployment/do/TOC.yml
View File

@ -13,6 +13,8 @@
items:
- name: Set up Delivery Optimization for Windows
href: waas-delivery-optimization-setup.md
- name: Monitor Delivery Optimization for Windows
href: waas-delivery-optimization-monitor.md
- name: Configure Delivery Optimization settings using Microsoft Intune
href: /mem/intune/configuration/delivery-optimization-windows
- name: Resources for Delivery Optimization

2
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -28,7 +28,7 @@ Use the table below to reference any particular content types or services endpoi
|Domain Name |Protocol/Port(s) | Content Type | Additional Information | Microsoft Connected Cache Version |
|---------|---------|---------------|-------------------|-----------------|
| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update </br> Windows Defender </br> Windows Drivers </br> Windows Store | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Both |
| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Both |
| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Both |

1
windows/deployment/do/delivery-optimization-proxy.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.collection: tier3
ms.reviewer: mstewart
---
# Using a proxy with Delivery Optimization

3
windows/deployment/do/delivery-optimization-workflow.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.collection: tier3
ms.reviewer: mstewart
---
# Delivery Optimization client-service communication explained
@ -35,7 +36,7 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r
|Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint
|--------------------------------------------|--------|---------------|-----------------------|------------------------|
| geover-prod.do.dsp.mp.microsoft.com <br> geo-prod.do.dsp.mp.microsoft.com <br> geo.prod.do.dsp.mp.microsoft.com <br> geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox) <br> **doClientVersion**: The version of the DoSvc client <br> **groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping ID <br> **CacheHost**: Cache host ID |
| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country or region the client is connected from <br> **doClientVersion**: The version of the DoSvc client <br> **Profile**: The device type (for example, PC or Xbox) <br> **eId**: Client grouping ID <br> **CacheHost**: Cache host ID |
| cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID <br> **CacheHost**: Cache host ID |
| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionID**: Client partitioning hint <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID |
| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **PeerID**: Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eID**: Client grouping ID |

BIN
windows/deployment/do/images/ent-mcc-deployment-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/deployment/do/images/ent-mcc-portal-create.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 144 KiB

BIN
windows/deployment/do/images/ent-mcc-portal-resource.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/deployment/do/images/ent-mcc-provisioning.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

5
windows/deployment/do/includes/get-azure-subscription.md
View File

@ -1,6 +1,7 @@
---
author: amymzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
ms.date: 10/18/2022
ms.prod: windows-client

5
windows/deployment/do/includes/mcc-prerequisites.md
View File

@ -1,6 +1,7 @@
---
author: amyzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
ms.prod: windows-client
ms.technology: itpro-deploy

8
windows/deployment/do/index.yml
View File

@ -14,7 +14,7 @@ metadata:
- tier3
author: aczechowski
ms.author: aaroncz
manager: dougeby
manager: aaroncz
ms.date: 03/07/2022 #Required; mm/dd/yyyy format.
localization_priority: medium
@ -41,10 +41,10 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Delivery Optimization settings
- text: Delivery Optimization recommended settings
url: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
- text: Windows PowerShell for Delivery Optimization
url: waas-delivery-optimization-setup.md#windows-powershell-cmdlets
- text: Monitor Delivery Optimization for Windows
url: waas-delivery-optimization-monitor.md
- text: Troubleshoot Delivery Optimization
url: waas-delivery-optimization-setup.md#troubleshooting
- text: Delivery Optimization Frequently Asked Questions

9
windows/deployment/do/mcc-ent-edu-overview.md
View File

@ -3,12 +3,13 @@ title: MCC for Enterprise and Education Overview
manager: aaroncz
description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.topic: article
ms.date: 05/09/2023
ms.technology: itpro-updates
ms.collection: tier3
ms.reviewer: mstewart
---
# Microsoft Connected Cache for Enterprise and Education Overview
@ -37,9 +38,9 @@ Connected Cache (early preview) supports the following scenarios:
When clients download cloud-managed content, they use Delivery Optimization from the cache server installed on a Windows server or VM. Cloud-managed content includes the following types:
- Windows Update for Business: Windows feature and quality updates
- Windows updates: Windows feature and quality updates
- Office Click-to-Run apps: Microsoft 365 Apps and updates
- Client apps: Microsoft Store apps and updates
- Client apps: Intune, store apps, and updates
- Endpoint protection: Windows Defender definition updates
For the full list of content endpoints that Microsoft Connected Cache for Enterprise and Education supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).

11
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -3,12 +3,15 @@ title: Appendix
manager: aaroncz
description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.topic: article
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.collection:
- tier3
- must-keep
---
# Appendix

7
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -1,10 +1,11 @@
---
title: Deploying your cache node
manager: aaroncz
description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates

5
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -3,8 +3,9 @@ title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Educa
manager: aaroncz
description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates

12
windows/deployment/do/mcc-enterprise-update-uninstall.md
View File

@ -3,13 +3,17 @@ title: Update or uninstall Microsoft Connected Cache for Enterprise and Educatio
manager: aaroncz
description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.topic: article
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.collection:
- tier3
- must-keep
---
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.

15
windows/deployment/do/mcc-isp-cache-node-configuration.md
View File

@ -1,19 +1,22 @@
---
title: Cache node configuration
manager: aaroncz
description: Configuring a cache node on Azure portal
description: Configuring a cache node on Azure portal.
ms.prod: windows-client
author: amyzhou
ms.author: amyzhou
ms.topic: article
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: reference
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.collection:
- tier3
- must-keep
---
# Cache node configuration
All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure.
All cache node configuration takes place within Azure portal. This article outlines all of the settings that you're able to configure.
## Settings

3
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.date: 05/09/2023
ms.technology: itpro-updates
ms.collection: tier3
ms.reviewer: mstewart
---
# Create, configure, provision, and deploy the cache node in Azure portal
@ -82,7 +83,7 @@ To set up and enable BGP routing for your cache node, follow the steps below:
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
- If you choose **Manual routing**, enter your address range/CIDR blocks.
- If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship.
- If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for MCC. MCC will be automatically assigned as the same ASN as the neighbor.
> [!NOTE]
> **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established.

11
windows/deployment/do/mcc-isp-faq.yml
View File

@ -2,8 +2,9 @@
metadata:
title: Microsoft Connected Cache Frequently Asked Questions
description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
author: amymzhou
ms.author: amymzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
ms.collection:
- highpri
@ -54,8 +55,8 @@ sections:
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
- question: Should I add any load balancing mechanism?
answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
- question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries?
answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country.
- question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries or regions?
answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
- question: Where should we install Microsoft Connected Cache?
answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
@ -67,7 +68,7 @@ sections:
- question: Is IPv6 supported?
answer: No, we don't currently support IPV6. We plan to support it in the future.
- question: Is Microsoft Connected Cache stable and reliable?
answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What CDNs will Microsoft Connected Cache pull content from?

46
windows/deployment/do/mcc-isp-overview.md
View File

@ -3,10 +3,11 @@ title: MCC for ISPs Overview
manager: aaroncz
description: Overview for Microsoft Connected Cache for ISPs
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: article
ms.date: 05/09/2023
ms.date: 07/27/2023
ms.technology: itpro-updates
ms.collection: tier3
---
@ -18,7 +19,7 @@ ms.collection: tier3
- Windows 10
- Windows 11
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a software-only caching solution that delivers Microsoft content. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Supported scenarios
@ -31,10 +32,43 @@ Microsoft Connected Cache (preview) supports the following scenarios:
Microsoft Connected Cache uses Delivery Optimization as the backbone for Microsoft content delivery. Microsoft Connected Cache caches the following types:
- Windows Update for Business: Windows feature and quality updates
- Windows updates: Windows feature and quality updates
- Office Click-to-Run apps: Microsoft 365 Apps and updates
- Client apps: Microsoft Store apps and updates
- Client apps: Intune, store apps, and updates
- Endpoint protection: Windows Defender definition updates
- Xbox: Xbox Game Pass (PC only)
Do you peer with [Microsoft (ASN 8075)](/azure/internet-peering/)? Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, and Edgecast. Microsoft Peering mainly caches dynamic content - by onboarding to Microsoft Connected Cache, you'll cache static content that otherwise would be served from the CDN.
For the full list of content endpoints that Microsoft Connected Cache for ISPs supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
## How MCC works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
The following steps describe how MCC is provisioned and used:
1. The Azure portal is used to create and manage MCC nodes.
1. A shell script is used to provision the server and deploy the MCC application.
1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
- The publicly accessible IPv4 address of the server is configured on the portal.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
> [!NOTE]
> Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
1. Microsoft clients make the range requests for content from the MCC node.
1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will be served from cache.
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.

4
windows/deployment/do/mcc-isp-signup.md
View File

@ -9,6 +9,7 @@ ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.reviewer: mstewart
---
# Operator sign up and service onboarding for Microsoft Connected Cache
@ -29,6 +30,9 @@ Before you begin sign up, ensure you have the following components:
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
> [!NOTE]
> Microsoft Connected Cache is a completely free service for operators. None of the resources created in Azure will incur any charges. However, be aware that any additional services that might be selected as part of the Azure sign-up process might incur charges.
1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.

1
windows/deployment/do/mcc-isp-support.md
View File

@ -9,6 +9,7 @@ ms.topic: reference
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.reviewer: mstewart
---
# Support and troubleshooting

11
windows/deployment/do/mcc-isp-update.md
View File

@ -3,12 +3,15 @@ title: Update or uninstall your cache node
manager: aaroncz
description: How to update or uninstall your cache node
ms.prod: windows-client
author: amyzhou
ms.author: amyzhou
ms.topic: article
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: how-to
ms.date: 12/31/2017
ms.technology: itpro-updates
ms.collection: tier3
ms.collection:
- tier3
- must-keep
---
# Update or uninstall your cache node

5
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -3,8 +3,9 @@ title: Verify cache node functionality and monitor health and performance
manager: aaroncz
description: How to verify the functionality of a cache node
ms.prod: windows-client
author: amyzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: article
ms.date: 12/31/2017
ms.technology: itpro-updates

5
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -3,8 +3,9 @@ title: Enhancing cache performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
ms.prod: windows-client
author: amyzhou
ms.author: amyzhou
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.topic: reference
ms.technology: itpro-updates
ms.date: 12/31/2017

6
windows/deployment/do/mcc-isp.md
View File

@ -4,9 +4,9 @@ description: Details on Microsoft Connected Cache (MCC) for Internet Service Pro
ms.prod: windows-client
ms.technology: itpro-updates
ms.localizationpriority: medium
author: amymzhou
ms.author: amyzhou
ms.reviewer: carmenf
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
ms.topic: how-to
ms.date: 05/20/2022

10
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -12,7 +12,7 @@ metadata:
- highpri
- tier3
ms.topic: faq
ms.date: 07/11/2023
ms.date: 07/31/2023
title: Delivery Optimization Frequently Asked Questions
summary: |
**Applies to**
@ -59,9 +59,13 @@ sections:
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and Microsoft's Connected Cache (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?
answer: |
When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available.
- question: Does Delivery Optimization use multicast?
answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
@ -131,7 +135,7 @@ sections:
- question: Delivery Optimization is using device resources and I can't tell why?
answer: |
Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
- question: What Delivery Optimization settings are available?
answer: |

71
windows/deployment/do/includes/waas-delivery-optimization-monitor.md → windows/deployment/do/waas-delivery-optimization-monitor.md
View File

@ -1,22 +1,36 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
title: Monitor Delivery Optimization
description: How to monitor Delivery Optimization
ms.collection:
- tier3
ms.prod: windows-client
ms.technology: itpro-deploy
ms.topic: include
ms.date: 04/06/2022
ms.technology: itpro-updates
ms.topic: reference
ms.date: 08/13/2023
ms.localizationpriority: medium
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
---
<!--This file is shared by do/waas-delivery-optimization-setup.md and the update/update-compliance-get-started.md articles -->
## Monitor Delivery Optimization
# Monitor Delivery Optimization
### Windows PowerShell cmdlets
To monitor Delivery Optimization, you can use either the Windows Update for Business Delivery Optimization Report or Windows PowerShell cmdlets.
## Monitor with Windows Update for Business Delivery Optimization Report
Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
:::image type="content" source="../update/media/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox= "../update/media/wufb-do-overview.png":::
For details, see [Windows Update for Business Delivery Optimization Report](/windows/deployment/update/wufb-reports-overview).
## Windows PowerShell cmdlets
**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization.
#### Analyze usage
### Analyze usage
`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs.
@ -27,13 +41,13 @@ ms.localizationpriority: medium
| FileSizeInCache | Size of the file in the cache |
| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes will be registered in 'BytesFromLANPeers'.) |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes are registered in 'BytesFromLANPeers'.) |
| BytesFromInternetPeers | Total number of bytes received from internet peers |
| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
| BytesToGroupPeers | Total number of bytes delivered from peers found in the group |
@ -112,7 +126,7 @@ Using the `-Verbose` option returns additional information:
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to data from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
#### Manage the Delivery Optimization cache
### Manage the Delivery Optimization cache
**Starting in Windows 10, version 1903:**
@ -132,7 +146,7 @@ You can now "pin" files to keep them persistent in the cache, only with files th
- `-IncludePinnedFiles` deletes all files that are pinned.
- `-Force` deletes the cache with no prompts.
#### Work with Delivery Optimization logs
### Work with Delivery Optimization logs
**Starting in Windows 10, version 2004:**
@ -168,3 +182,34 @@ Using the `-ListConnections` option returns these details about peers:
If `Path` isn't specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs.
Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content <output file>` or something similar.
**Starting in Windows 10, version 1803:**
`Get-DOConfig -Verbose`
This cmdlet lists local configuration and policies that are applied to Delivery Optimization. This includes policies that are set via Group Policies or MDM Policies. Each policy is listed with the current set value and the provider of that policy. For example:
DownloadMode:Simple
DownloadModeProvider:Mdm Provider
The provider is listed as "Default Provider" if it's using the Delivery Optimization platform configured default.
The cmdlet returns the following data:
- BatteryPctToSeed: Corresponds to the [DOMinBatteryPercentageAllowedToUpload](waas-delivery-optimization-reference.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) policy.
- WorkingDirectory: The local folder containing the Delivery Optimization cache.
- MinTotalDiskSize: Corresponds to the [DOMinDiskSizeAllowedToPeer](waas-delivery-optimization-reference.md#minimum-disk-size-allowed-to-use-peer-caching) policy.
- MinTotalRAM: Corresponds to the [DOMinRAMAllowedToPeer](waas-delivery-optimization-reference.md#minimum-ram-inclusive-allowed-to-use-peer-caching) policy.
- VpnPeerCachingAllowed: Corresponds to the [DOAllowVPNPeerCaching](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
- VpnKeywords: List of keywords used to identify a VPN adapter.
- SetHoursToLimitDownloadBackground: Corresponds to the [DOSetHoursToLimitBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) policy.
- SetHoursToLimitDownloadForeground: Corresponds to the [DOSetHoursToLimitForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth) policy.
- DownloadMode: Corresponds to the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) policy.
- DownBackLimitBps: Corresponds to the [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) policy.
- DownloadForegroundLimitBps: Corresponds to the [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) policy.
- DownBackLimitPct: Corresponds to the [DOPercentageMaxBackgroundBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) policy.
- DownloadForegroundLimitPct: Corresponds to the [DOPercentageMaxForegroundBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) policy.
- MaxUploadRatePct: Corresponds to the [DOMaxUploadBandwidth](waas-delivery-optimization-reference.md#max-upload-bandwidth) policy (deprecated in Windows 10, version 2004).
- UploadLimitMonthlyGB: Corresponds to the [DOMonthlyUploadDataCap](waas-delivery-optimization-reference.md#monthly-upload-data-cap) policy.

132
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -6,28 +6,29 @@ ms.prod: windows-client
author: cmknox
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.topic: reference
ms.technology: itpro-updates
ms.date: 06/28/2023
ms.date: 07/31/2023
ms.collection: tier3
ms.reviewer: mstewart
---
# Delivery Optimization reference
**Applies to**
- Windows 10
- Windows 10
- Windows 11
> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678).
There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This article summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md).
## Delivery Optimization options
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
The Delivery Optimization settings in Group Policy are under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
### Summary of Delivery Optimization settings
@ -35,9 +36,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| Group Policy setting | MDM setting | Supported from version | Notes |
| --- | --- | --- | ------- |
| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.|
| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. |
| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. |
| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. |
| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. |
| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. |
| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. |
| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. |
| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). |
@ -51,16 +52,16 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. |
| [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. |
| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
| [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. |
| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. |
| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. |
| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | No value is set as default. |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. |
| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). |
@ -82,7 +83,7 @@ All cached files have to be above a set minimum size. This size is automatically
#### Impact to network
More options available that control the impact Delivery Optimization has on your network include the following:
More options available that control the impact Delivery Optimization has on your network include the following settings:
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network.
- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth.
@ -94,7 +95,7 @@ More options available that control the impact Delivery Optimization has on your
#### Policies to prioritize the use of Peer-to-Peer and Cache Server sources
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content cant be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior.
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
##### Peer-to-peer delay fallback settings
@ -106,11 +107,11 @@ When Delivery Optimization client is configured to use peers and Microsoft Conne
- [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server.
**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
#### System resource usage
Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
Administrators can further customize scenarios where Delivery Optimization is used with the following settings:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
@ -119,12 +120,14 @@ Administrators can further customize scenarios where Delivery Optimization will
### Download mode
MDM Setting: **DODownloadMode**
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization).
| Download mode option | Functionality when set |
| --- | --- |
| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source or a Microsoft Connected Cache server. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (**1 Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| LAN (**1 - Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.|
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
@ -135,6 +138,8 @@ Download mode dictates which download sources clients are allowed to use when do
### Group ID
MDM Setting: **DOGroupID**
By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
@ -144,23 +149,29 @@ By default, peer sharing on clients using the Group download mode (option 2) is
### Select the source of Group IDs
MDM Setting: **DOGroupIDSource**
Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are:
- 0 = Not set
- 1 = AD Site
- 2 = Authenticated domain SID
- 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID)
- 3 = DHCP Option ID (with this option, the client queries DHCP Option ID 234 and use the returned GUID value as the Group ID)
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
- 5 = Starting with Windows 10, version 1903, you can use the Azure AD Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
MDM Setting: **DOMinRAMAllowedToPeer**
This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and **the default value is 4 GB**.
### Minimum disk size allowed to use Peer Caching
MDM Setting: **DOMinDiskSizeAllowedToPeer**
This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**.
>[!NOTE]
@ -168,57 +179,82 @@ This setting specifies the required minimum disk size (capacity in GB) for the d
### Max Cache Age
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
MDM Setting: **DOMaxCacheAge**
In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**.
### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
MDM Setting: **DOMaxCacheSize**
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**.
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
MDM Setting: **DOAbsoluteMaxCacheSize**
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it overrides the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**.
### Minimum Peer Caching Content File Size
MDM Setting: **DOMinFileSizeToCache**
This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering.
### Maximum Download Bandwidth
MDM Setting: **DOMaxUploadBandwidth**
Deprecated in Windows 10, version 2004.
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
> [!NOTE]
> This is the best option for low bandwidth environments.
### Maximum Foreground Download Bandwidth
MDM Setting: **DOPercentageMaxForegroundBandwidth**
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
### Maximum Background Download Bandwidth
MDM Setting: **DOPercentageMaxBackgroundBandwidth**
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set.
> [!NOTE]
> It is recommended to use the absolute value download options 'DOMaxBackgroundDownloadBandwidth' and 'DOMaxForegroundDownloadBandwidth', rather than percentage-based options, for low bandwidth environments.
### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
MDM Setting: **DOPercentageMaxDownloadBandwidth**
> [!NOTE]
> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments.
Deprecated in Windows 10, version 2004.
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
### Max Upload Bandwidth
MDM Setting: **DOMaxUploadBandwidth**
Deprecated in Windows 10, version 2004.
This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate.
### Set Business Hours to Limit Background Download Bandwidth
MDM Setting: **DOSetHoursToLimitBackgroundDownloadBandwidth**
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
### Set Business Hours to Limit Foreground Download Bandwidth
MDM Setting: **DOSetHoursToLimitForegroundDownloadBandwidth**
Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.**
### Select a method to restrict peer selection
Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**.
MDM Setting: **DORestrictPeerSelectionBy**
Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets.
If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
@ -226,40 +262,56 @@ The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered polic
### Delay background download from HTTP (in secs)
MDM Setting: **DODelayBackgroundDownloadFromHttp**
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
### Delay foreground download from HTTP (in secs)
MDM Setting: **DODelayForegroundDownloadFromHttp**
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.**
### Delay Foreground Download Cache Server Fallback (in secs)
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
MDM Setting: **DelayCacheServerFallbackForeground**
By default this policy isn't set. So,
Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
### Delay Background Download Cache Server Fallback (in secs)
MDM Setting: **DelayCacheServerFallbackBackground**
Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.**
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
MDM Setting: **DOMinBackgroundQoS**
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources. The lower this value is, the more content is sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.**
### Modify Cache Drive
MDM Setting: **DOModifyCacheDrive**
This setting allows for an alternate Delivery Optimization cache location on the clients. **By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable.** You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache).
### Monthly Upload Data Cap
MDM Setting: **DOMonthlyUploadDataCap**
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.**
### Enable Peer Caching while the device connects via VPN
This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
MDM Setting: **DOAllowVPNPeerCaching**
This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
### Allow uploads while the device is on battery while under set Battery level
MDM Setting: **DOMinBatteryPercentageAllowedToUpload**
This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
The device can download from peers while on battery regardless of this policy.
@ -268,19 +320,23 @@ The device can download from peers while on battery regardless of this policy.
### Cache Server Hostname
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.**
MDM Setting: **DOCacheHost**
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the the next one. When the last server fails, it will fallback to the CDN.
>[!IMPORTANT]
> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.
### Cache Server Hostname Source
MDM Setting: **DOCacheHostSource**
This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically. There are two options:
- 1 = DHCP Option 235.
- 2 = DHCP Option 235 Force.
With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.**
Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
@ -289,12 +345,16 @@ Set this policy to designate Delivery Optimization in Network Cache servers thro
### Maximum Foreground Download Bandwidth (in KB/s)
MDM Setting: **DOMaxForegroundDownloadBandwidth**
Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
**The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**
### Maximum Background Download Bandwidth (in KB/s)
MDM Setting: **DOMaxBackgroundDownloadBandwidth**
Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization.
**The default value "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.**

11
windows/deployment/do/waas-delivery-optimization-setup.md
View File

@ -110,17 +110,6 @@ Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** an
[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios.
<!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
[!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)]
### Monitor with Windows Update for Business Delivery Optimization Report
Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png":::
For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md).
## Troubleshooting
This section summarizes common problems and some solutions to try.

1
windows/deployment/do/waas-delivery-optimization.md
View File

@ -12,6 +12,7 @@ ms.collection:
- highpri
ms.topic: overview
ms.date: 12/31/2017
ms.reviewer: mstewart
---
# What is Delivery Optimization?

1
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.technology: itpro-updates
ms.date: 05/09/2023
ms.collection: tier3
ms.reviewer: mstewart
---
# What is Microsoft Connected Cache?

5
windows/deployment/do/waas-optimize-windows-10-updates.md
View File

@ -3,8 +3,9 @@ title: Optimize Windows update delivery
description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
ms.prod: windows-client
ms.localizationpriority: medium
author: mestew
ms.author: mstewart
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates

1
windows/deployment/do/whats-new-do.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.collection: tier3
ms.reviewer: mstewart
---
# What's new in Delivery Optimization

2
windows/deployment/docfx.json
View File

@ -39,7 +39,7 @@
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"uhfHeaderId": "MSDocsHeader-Windows",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",

90
windows/deployment/images/icons/command-line-18.svg Normal file
View File

@ -0,0 +1,90 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="18" height="18" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M0 13H16V6H2C0.9 6 0 6.9 0 8V13Z" fill="#CCCCCC"/>
<path d="M32 6H16V13H32V6Z" fill="#999999"/>
<path d="M48 13H32V6H46C47.1 6 48 6.9 48 8V13Z" fill="#666666"/>
<path d="M46 42H2C0.9 42 0 41.1 0 40V12H48V40C48 41.1 47.1 42 46 42Z" fill="url(#paint0_linear)"/>
<g filter="url(#filter0_dd)">
<path d="M15.2 24.3L6.39999 33.1C5.89999 33.6 5.89999 34.3 6.39999 34.7L8.19999 36.5C8.69999 37 9.4 37 9.8 36.5L18.6 27.7C19.1 27.2 19.1 26.5 18.6 26.1L16.8 24.3C16.4 23.9 15.6 23.9 15.2 24.3Z" fill="url(#paint1_linear)"/>
<mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="6" y="24" width="13" height="13">
<path d="M15.2 24.3L6.39999 33.1C5.89999 33.6 5.89999 34.3 6.39999 34.7L8.19999 36.5C8.69999 37 9.4 37 9.8 36.5L18.6 27.7C19.1 27.2 19.1 26.5 18.6 26.1L16.8 24.3C16.4 23.9 15.6 23.9 15.2 24.3Z" fill="url(#paint2_linear)"/>
</mask>
<g mask="url(#mask0)">
<g filter="url(#filter1_dd)">
<path d="M9.8 17.3L18.6 26.1C19.1 26.6 19.1 27.3 18.6 27.7L16.8 29.5C16.3 30 15.6 30 15.2 29.5L6.39999 20.7C5.89999 20.2 5.89999 19.5 6.39999 19.1L8.19999 17.3C8.59999 16.9 9.4 16.9 9.8 17.3Z" fill="url(#paint3_linear)"/>
</g>
</g>
<path d="M9.8 17.3L18.6 26.1C19.1 26.6 19.1 27.3 18.6 27.7L16.8 29.5C16.3 30 15.6 30 15.2 29.5L6.39999 20.7C5.89999 20.2 5.89999 19.5 6.39999 19.1L8.19999 17.3C8.59999 16.9 9.4 16.9 9.8 17.3Z" fill="url(#paint4_linear)"/>
</g>
<g filter="url(#filter2_dd)">
<path d="M40 32H24C23.4 32 23 32.4 23 33V36C23 36.6 23.4 37 24 37H40C40.6 37 41 36.6 41 36V33C41 32.4 40.6 32 40 32Z" fill="url(#paint5_linear)"/>
</g>
<defs>
<filter id="filter0_dd" x="3.02499" y="15" width="18.95" height="25.875" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="0.5"/>
<feGaussianBlur stdDeviation="0.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="1"/>
<feGaussianBlur stdDeviation="1.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow" result="effect2_dropShadow"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow" result="shape"/>
</filter>
<filter id="filter1_dd" x="3.02499" y="15" width="18.95" height="18.875" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="0.5"/>
<feGaussianBlur stdDeviation="0.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="1"/>
<feGaussianBlur stdDeviation="1.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow" result="effect2_dropShadow"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow" result="shape"/>
</filter>
<filter id="filter2_dd" x="20" y="30" width="24" height="11" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
<feFlood flood-opacity="0" result="BackgroundImageFix"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="0.5"/>
<feGaussianBlur stdDeviation="0.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0"/>
<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow"/>
<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"/>
<feOffset dy="1"/>
<feGaussianBlur stdDeviation="1.5"/>
<feColorMatrix type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.2 0"/>
<feBlend mode="normal" in2="effect1_dropShadow" result="effect2_dropShadow"/>
<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow" result="shape"/>
</filter>
<linearGradient id="paint0_linear" x1="36.4462" y1="47.8257" x2="11.8217" y2="5.1748" gradientUnits="userSpaceOnUse">
<stop stop-color="#333333"/>
<stop offset="1" stop-color="#4D4D4D"/>
</linearGradient>
<linearGradient id="paint1_linear" x1="14.5276" y1="33.9959" x2="10.4841" y2="26.9924" gradientUnits="userSpaceOnUse">
<stop stop-color="#999999"/>
<stop offset="1" stop-color="#B3B3B3"/>
</linearGradient>
<linearGradient id="paint2_linear" x1="14.5276" y1="33.9959" x2="10.4841" y2="26.9924" gradientUnits="userSpaceOnUse">
<stop stop-color="#999999"/>
<stop offset="1" stop-color="#B3B3B3"/>
</linearGradient>
<linearGradient id="paint3_linear" x1="16.2747" y1="30.0336" x2="8.73699" y2="16.9781" gradientUnits="userSpaceOnUse">
<stop stop-color="#CCCCCC"/>
<stop offset="1" stop-color="#E6E6E6"/>
</linearGradient>
<linearGradient id="paint4_linear" x1="16.2747" y1="30.0336" x2="8.73699" y2="16.9781" gradientUnits="userSpaceOnUse">
<stop stop-color="#CCCCCC"/>
<stop offset="1" stop-color="#E6E6E6"/>
</linearGradient>
<linearGradient id="paint5_linear" x1="35.1496" y1="39.9553" x2="28.8504" y2="29.0447" gradientUnits="userSpaceOnUse">
<stop stop-color="#CCCCCC"/>
<stop offset="1" stop-color="#E6E6E6"/>
</linearGradient>
</defs>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

20
windows/deployment/images/icons/powershell-18.svg Normal file
View File

@ -0,0 +1,20 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#32bedd" />
<stop offset="0.175" stop-color="#32caea" />
<stop offset="0.41" stop-color="#32d2f2" />
<stop offset="0.775" stop-color="#32d4f5" />
</linearGradient>
</defs>
<title>MsPortalFx.base.images-10</title>
<g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
<g>
<path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
<path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
<path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
<path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
<rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

20
windows/deployment/index.yml
View File

@ -130,6 +130,26 @@ additionalContent:
url: mbr-to-gpt.md
- text: Resolve Windows upgrade errors
url: upgrade/resolve-windows-10-upgrade-errors.md
- text: Deploy Windows 10 with Autopilot
url: /mem/autopilot
- text: Assign devices to servicing channels
url: update/waas-servicing-channels-windows-10-updates.md
# Card
- title: Overview
linkLists:
- linkListType: overview
links:
- text: What's new in Windows deployment
url: deploy-whats-new.md
- text: Windows 11 overview
url: /windows/whats-new/windows-11
- text: Windows client deployment scenarios
url: windows-10-deployment-scenarios.md
- text: Basics of Windows updates, channels, and tools
url: update/get-started-updates-channels-tools.md
- text: Overview of Windows Autopilot
url: /mem/autopilot/windows-autopilot
- title: Licensing and activation
links:

45
windows/deployment/planning/act-technical-reference.md
View File

@ -1,45 +0,0 @@
---
title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows.
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
# Application Compatibility Toolkit (ACT) Technical Reference
**Applies to**
- Windows 10, version 1607
>[!IMPORTANT]
>We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](/mem/configmgr/desktop-analytics/overview), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10.
With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Windows Analytics to get:
- A visual workflow that guides you from pilot to production
- Detailed computer and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools, including Microsoft Configuration Manager
The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues.
## In this section
|Topic |Description |
|------|------------|
|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |

34
windows/deployment/planning/index.md
View File

@ -1,34 +0,0 @@
---
title: Plan for Windows 10 deployment (Windows 10)
description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date.
ms.prod: windows-client
ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.technology: itpro-deploy
ms.date: 10/28/2022
---
# Plan for Windows 10 deployment
Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process.
## In this section
|Topic |Description |
|------|------------|
|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.yml) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. |
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
|[Features removed or planned for replacement](/windows/whats-new/feature-lifecycle) |Information is provided about Windows features and functionality that are removed or planned for replacement. |
|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
- [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)

46
windows/deployment/update/PSFxWhitepaper.md
View File

@ -2,20 +2,23 @@
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/21/2021
---
# Windows Updates using forward and reverse differentials
Windows 10 monthly quality updates are cumulative, containing all previously
Windows monthly quality updates are cumulative, containing all previously
released fixes to ensure consistency and simplicity. For an operating system
platform like Windows 10, which stays in support for multiple years, the size of
platform like Windows, which stays in support for multiple years, the size of
monthly quality updates can quickly grow large, thus directly impacting network
bandwidth consumption.
@ -23,8 +26,8 @@ Today, this problem is addressed by using express downloads, where differential
downloads for every changed file in the update are generated based on selected
historical revisions plus the base version. In this paper, we introduce a new
technique to build compact software update packages that are applicable to any
revision of the base version, and then describe how Windows 10 quality updates
uses this technique.
revision of the base version, and then describe how Windows quality updates
use this technique.
## General Terms
@ -65,45 +68,44 @@ numerous advantages:
- Efficient to install
- Redistributable
Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
Historically, download sizes of Windows quality updates (Windows 10, version 1803 and older supported versions of Windows 10) were optimized by using express download. Express download is optimized such that updating Windows systems download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as express download files) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device applying express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
The flip side of express download is that the size of PSF files can be large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they're unable to use express updates to keep their fleet of devices running Windows up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it's only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads.
In the following sections, we describe how quality updates use this technique based on forward and reverse differentials for newer releases of Windows and Windows Server to overcome the challenges with express downloads.
## High-level Design
### Update packaging
Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
Windows quality update packages contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices have an identical payload. Update package metadata, content manifests, and forward and reverse differentials are packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format.
There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
There can be cases where new files are added to the system during servicing. These files won't have RTM baselines, thus forward and reverse differentials can't be used. In these scenarios, null differentials are used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows quality update installer:
![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.).](images/PSF4.png)
### Hydration and installation
Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process.
Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure hydrates the full files during preinstallation and then proceeds with the usual installation process.
Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update:
Below is a high-level sequence of activities that the component servicing infrastructure runs in a transaction to complete installation of the update:
- Identify all files that are required to install the update.
- Hydrate each of necessary files using current version (V<sub>N</sub>) of the file, reverse differential (V<sub>N</sub>--->RTM) of the file back to quality update RTM/base version and forward differential (V<sub>RTM</sub>--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files.
- Stage the hydrated files (full file), forward differentials (under f folder) and reverse differentials (under r folder) or null compressed files (under n folder) in the component store (%windir%\\WinSxS folder).
- Stage the hydrated files (full file), forward differentials (under `f` folder) and reverse differentials (under `r` folder) or null compressed files (under `n` folder) in the component store (%windir%\\WinSxS folder).
- Resolve any dependencies and install components.
- Clean up older state (V<sub>N-1</sub>); the previous state V<sub>N</sub> is retained for uninstallation and restoration or repair.
### **Resilient Hydration**
To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (automatic corruption repair) or on demand (manual corruption repair) using an online or local repair source. This service will continue to offer the ability to repair and recover content for
hydration and successfully install an update, if needed.
To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (automatic corruption repair) or on demand (manual corruption repair) using an online or local repair source. This service will continue to offer the ability to repair and recover content for hydration and successfully install an update, if needed.
When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
When corruption is detected during update operations, automatic corruption repair starts as usual and uses the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified.
Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair.
Corruption repair uses the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine are set. When automatic corruption repair runs, it scans hydrated files using the manifest and differential files using the flags. If the differential can't be found or verified, it's added to the list of corruptions to repair.
### Lazy automatic corruption repair
Lazy automatic corruption repair runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.
"Lazy automatic corruption repair" runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt.

64
windows/deployment/update/WIP4Biz-intro.md
View File

@ -1,64 +0,0 @@
---
title: Introduction to the Windows Insider Program for Business
description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Introduction to the Windows Insider Program for Business
**Applies to**
- Windows 10
> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
For many IT Pros, it's valuable to have visibility into feature updates early--before theyre available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
The Windows Insider Program for Business gives you the opportunity to:
* Get early access to Windows Insider Preview Builds.
* Provide feedback to Microsoft in real time by using the Feedback Hub app.
* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft especially on features that support your productivity and business needs.
* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration.
* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies.
* Track feedback provided through the Feedback Hub App across your organization.
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App.
The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the General Availability Channel Targeted ring for Pilot deployment, and the General Availability Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments.
## Explore new Windows 10 features in Insider Previews
Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. Whats more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Heres how to get the most out of your feature exploration:
|Objective |Feature exploration|
|---------|---------|
|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. |
|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)<br> - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications<br> - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. |
|Feedback | - This helps us make adjustments to features as quickly as possible.<br> - Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organizations domain.)<br> - [Learn how to provide effective feedback in the Feedback Hub](/windows-insider/feedback) |
## Validate Insider Preview builds
Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits:
- Get a head start on your Windows validation process.
- Identify issues sooner to accelerate your Windows deployment.
- Engage Microsoft earlier for help with potential compatibility issues.
- Deploy Windows 10 General Availability Channel releases faster and more confidently.
- Maximize the support window that comes with each General Availability Channel release.
|Objective |Feature exploration|
|---------|---------|
|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.|
|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.|
|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. |
|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. |
|Guidance | Application and infrastructure validation:<br>- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](/mem/configmgr/desktop-analytics/overview)<br>- [Use Device Health to identify problem devices and device drivers](/windows/deployment/update/device-health-monitor)<br> - [Windows 10 application compatibility](/windows/windows-10/)|

17
windows/deployment/update/check-release-health.md
View File

@ -1,14 +1,19 @@
---
title: How to check Windows release health
description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
ms.date: 06/07/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.reviewer: mstewart
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-updates
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/08/2023
---
# How to check Windows release health
@ -31,7 +36,7 @@ Ensure the following prerequisites are met to display the Windows release health
- Most roles containing the word `administrator` give you access to the Windows release health page such as [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference#helpdesk-administrator), and [Service Support Administrator](/azure/active-directory/roles/permissions-reference#service-support-administrator). For more information, see [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles).
> [!NOTE]
> Currently, Windows release health isn't available for Government Community Cloud (GCC) tenants.
> Currently, Windows release health is available for Government Community Cloud (GCC) tenants, but isn't available for GCC High and DoD. <!--8337541-->
## How to review Windows release health information

34
windows/deployment/update/create-deployment-plan.md
View File

@ -1,28 +1,28 @@
---
title: Create a deployment plan
description: Devise the number of deployment rings you need and how you want to populate them
description: Devise the number of deployment rings you need and how you want to populate each of the deployment rings.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Create a deployment plan
**Applies to**
- Windows 10
- Windows 11
A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. Weve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
A common ring structure uses three deployment groups:
@ -31,7 +31,7 @@ A common ring structure uses three deployment groups:
- Broad: Wide deployment
> [!NOTE]
> Organizations often use different names for their rings," for example:
> Organizations often use different names for their rings, for example:
> - First > Fast > Broad
> - Canaries > Early Adopters > Users
> - Preview > Broad > Critical
@ -45,8 +45,8 @@ There are no definite rules for exactly how many rings to have for your deployme
There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the red button to stop further distribution.
- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the green button to push the content to the next ring.
- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
@ -84,7 +84,7 @@ Analytics can help with defining a good Limited ring of representative devices a
### Who goes in the Limited ring?
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually dont have the applications or device drivers that are truly a representative sample of your network.
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
During your pilot and validate phases, you should focus on the following activities:
@ -93,11 +93,11 @@ During your pilot and validate phases, you should focus on the following activit
- Assess and act if issues are encountered.
- Move forward unless blocked.
When you deploy to the Limited ring, youll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
When you deploy to the Limited ring, you'll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
## Broad deployment
Once the devices in the Limited ring have had a sufficient stabilization period, its time for broad deployment across the network.
Once the devices in the Limited ring have had a sufficient stabilization period, it's time for broad deployment across the network.
### Who goes in the Broad deployment ring?

21
windows/deployment/update/deploy-updates-configmgr.md
View File

@ -1,21 +0,0 @@
---
title: Deploy Windows client updates with Configuration Manager
description: Deploy Windows client updates with Configuration Manager
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Deploy Windows 10 updates with Configuration Manager
**Applies to**
- Windows 10
- Windows 11
See the [Microsoft Configuration Manager documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.

24
windows/deployment/update/deploy-updates-intune.md
View File

@ -1,24 +0,0 @@
---
title: Deploy updates with Intune
description: Deploy Windows client updates with Intune.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
---
# Deploy Windows 10 updates with Intune
**Applies to**
- Windows 10
- Windows 11
See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates.

17
windows/deployment/update/deployment-service-drivers.md
View File

@ -1,19 +1,24 @@
---
title: Deploy drivers and firmware updates with Windows Update for Business deployment service.
description: Use Windows Update for Business deployment service to deploy driver and firmware updates.
title: Deploy drivers and firmware updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/22/2023
---
# Deploy drivers and firmware updates with Windows Update for Business deployment service
<!--7260403, 7512398-->
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).

144
windows/deployment/update/deployment-service-expedited-updates.md
View File

@ -1,20 +1,24 @@
---
title: Deploy expedited updates with Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy expedited updates.
title: Deploy expedited updates
titleSuffix: Windows Update for Business deployment service
description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/29/2023
---
# Deploy expedited updates with Windows Update for Business deployment service
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
In this article, you will:
> [!div class="checklist"]
@ -47,13 +51,13 @@ All of the [prerequisites for the Windows Update for Business deployment service
## List catalog entries for expedited updates
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates.
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=1` and ordering by `ReleaseDateTimeshows` displays the most recent update that can be deployed as expedited.
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=1
```
The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update:
The following truncated response displays a **Catalog ID** of `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5` for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update:
```json
{
@ -61,21 +65,119 @@ The following truncated response displays a **Catalog ID** of `693fafea03c24cca
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
"displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later",
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
"displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
"deployableUntilDateTime": null,
"releaseDateTime": "2023-01-10T00:00:00Z",
"releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": true,
"qualityUpdateClassification": "security"
},
...
"qualityUpdateClassification": "security",
"catalogName": "2023-08 Cumulative Update for Windows 10 and later",
"shortName": "2023.08 B",
"qualityUpdateCadence": "monthly",
"cveSeverityInformation": {
"maxSeverity": "critical",
"maxBaseScore": 9.8,
"exploitedCves@odata.context": "https://graph.microsoft.com/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
"exploitedCves": [
{
"number": "ADV230003",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
},
{
"number": "CVE-2023-38180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
}
]
}
}
]
}
```
The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers.
<!--8092737-->
Use the following to display the product revision information for the most recent quality update:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1
```
The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2:
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries(microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions())",
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5",
"displayName": "08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later",
"deployableUntilDateTime": null,
"releaseDateTime": "2023-08-08T00:00:00Z",
"isExpeditable": true,
"qualityUpdateClassification": "security",
"catalogName": "2023-08 Cumulative Update for Windows 10 and later",
"shortName": "2023.08 B",
"qualityUpdateCadence": "monthly",
"cveSeverityInformation": {
"maxSeverity": "critical",
"maxBaseScore": 9.8,
"exploitedCves@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/cveSeverityInformation/exploitedCves",
"exploitedCves": [
{
"number": "ADV230003",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/ADV230003"
},
{
"number": "CVE-2023-38180",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180"
}
]
},
"productRevisions@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions",
"productRevisions": [
{
"id": "10.0.19045.3324",
"displayName": "Windows 10, version 22H2, build 19045.3324",
"releaseDateTime": "2023-08-08T00:00:00Z",
"version": "22H2",
"product": "Windows 10",
"osBuild": {
"majorVersion": 10,
"minorVersion": 0,
"buildNumber": 19045,
"updateBuildRevision": 3324
},
"knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.19045.3324')/knowledgeBaseArticle/$entity",
"knowledgeBaseArticle": {
"id": "KB5029244",
"url": "https://support.microsoft.com/help/5029244"
}
},
{
"id": "10.0.22621.2134",
"displayName": "Windows 11, version 22H2, build 22621.2134",
"releaseDateTime": "2023-08-08T00:00:00Z",
"version": "22H2",
"product": "Windows 11",
"osBuild": {
"majorVersion": 10,
"minorVersion": 0,
"buildNumber": 22621,
"updateBuildRevision": 2134
},
"knowledgeBaseArticle@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries('e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5')/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions('10.0.22621.2134')/knowledgeBaseArticle/$entity",
"knowledgeBaseArticle": {
"id": "KB5029263",
"url": "https://support.microsoft.com/help/5029263"
}
},
```
## Create a deployment
When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body.
When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `08/08/2023 - 2023.08 B SecurityUpdate for Windows 10 and later` security update with catalog entry ID `e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5`, and defines the `expedite` and `userExperience` deployment options in the request body.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
@ -87,7 +189,7 @@ content-type: application/json
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432"
"id": "e317aa8a0455ca604de95329b524ec921ca57f2e6ed3ff88aac757a7468998a5"
}
},
"settings": {

27
windows/deployment/update/deployment-service-feature-updates.md
View File

@ -1,20 +1,24 @@
---
title: Deploy feature updates with Windows Update for Business deployment service.
description: Use Windows Update for Business deployment service to deploy feature updates.
title: Deploy feature updates
titleSuffix: Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy feature updates to devices in your organization.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/29/2023
---
# Deploy feature updates with Windows Update for Business deployment service
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will:
@ -82,7 +86,8 @@ The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4b
"displayName": "Windows 11, version 22H2",
"deployableUntilDateTime": "2025-10-14T00:00:00Z",
"releaseDateTime": "2022-09-20T00:00:00Z",
"version": "Windows 11, version 22H2"
"version": "Windows 11, version 22H2",
"buildNumber": "22621"
}
]
}

24
windows/deployment/update/deployment-service-overview.md
View File

@ -1,20 +1,24 @@
---
title: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
title: Overview of the deployment service
titleSuffix: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates with the deployment service.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: overview
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/14/2023
---
# Windows Update for Business deployment service
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications.
Windows Update for Business product family has three elements:

22
windows/deployment/update/deployment-service-prerequisites.md
View File

@ -1,20 +1,24 @@
---
title: Prerequisites for the Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service.
title: Prerequisites for the deployment service
titleSuffix: Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service for updating devices in your organization.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/14/2023
---
# Windows Update for Business deployment service prerequisites
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
## Azure and Azure Active Directory

26
windows/deployment/update/deployment-service-troubleshoot.md
View File

@ -1,22 +1,24 @@
---
title: Troubleshoot the Windows Update for Business deployment service
description: Solutions to common problems with the service
title: Troubleshoot the deployment service
titleSuffix: Windows Update for Business deployment service
description: Solutions to commonly encountered problems when using the Windows Update for Business deployment service.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.topic: troubleshooting
ms.author: mstewart
author: mestew
manager: aaroncz
ms.collection:
- tier1
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/14/2023
---
# Troubleshoot the Windows Update for Business deployment service
***(Applies to: Windows 11 & Windows 10)***
This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json).
## The device isn't receiving an update that I deployed

14
windows/deployment/update/eval-infra-tools.md
View File

@ -1,23 +1,21 @@
---
title: Evaluate infrastructure and tools
description: Steps to make sure your infrastructure is ready to deploy updates
description: Review the steps to ensure your infrastructure is ready to deploy updates to clients in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Evaluate infrastructure and tools
**Applies to**
- Windows 10
- Windows 11
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure

117
windows/deployment/update/feature-update-user-install.md
View File

@ -1,20 +1,21 @@
---
title: Best practices - deploy feature updates for user-initiated installations
title: Best practices - user-initiated feature update installation
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.date: 07/10/2018
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.topic: best-practice
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
ms.date: 07/10/2018
---
# Deploy feature updates for user-initiated installations (during a fixed service window)
**Applies to**: Windows 10
Use the following steps to deploy a feature update for a user-initiated installation.
## Get ready to deploy feature updates
@ -22,7 +23,7 @@ Use the following steps to deploy a feature update for a user-initiated installa
### Step 1: Enable Peer Cache
Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
@ -35,7 +36,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
Priority=Normal
```
You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
```
#Parameters
@ -80,7 +81,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
```
>[!NOTE]
>If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates in a user-initiated installation
@ -89,77 +90,73 @@ The following sections provide the steps to manually deploy a feature update.
### Step 1: Specify search criteria for feature updates
There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy.
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed.
1. In the Configuration Manager console, select **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed.
3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
- In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
- In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- Select **Add Criteria**, select the criteria that you want to use to filter software updates, select **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
4. Save the search for future use.
### Step 2: Download the content for the feature update(s)
Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**.
2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right-click, and select **Download**.
The **Download Software Updates Wizard** opens.
3. On the **Deployment Package** page, configure the following settings:
**Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
- **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters.
- **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters.
- **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
- **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
- **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
>[!NOTE]
>The deployment package source location that you specify cannot be used by another software deployment package.
> [!IMPORTANT]
> - The deployment package source location that you specify cannot be used by another software deployment package.
> - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
> - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
>[!IMPORTANT]
>The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
>[!IMPORTANT]
>You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
Click **Next**.
4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
Select **Next**.
4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
>The Distribution Points page is available only when you create a new software update deployment package.
> The Distribution Points page is available only when you create a new software update deployment package.
5. On the **Distribution Settings** page, specify the following settings:
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority.
- **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
- **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default.
For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Click **Next**.
For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Select **Next**.
6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
- **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
- **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access.
- **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access.
>[!NOTE]
>When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
> When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
Click **Next**.
7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates.
9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**.
Select **Next**.
7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates.
9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**.
#### To monitor content status
1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console.
2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**.
1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console.
2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**.
3. Select the feature update package that you previously identified to download the feature updates.
4. On the **Home** tab, in the Content group, click **View Status**.
4. On the **Home** tab, in the Content group, select **View Status**.
### Step 3: Deploy the feature update(s)
After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
1. In the Configuration Manager console, click **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**.
1. In the Configuration Manager console, select **Software Library**.
2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right select, and select **Deploy**.
The **Deploy Software Updates Wizard** opens.
4. On the General page, configure the following settings:
@ -178,7 +175,7 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured.
- **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**.
- **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that don't require any software updates in the deployment aren't started. By default, this setting isn't enabled and is available only when **Type of deployment** is set to **Required**.
>[!WARNING]
>Before you can use this option, computers and networks must be configured for Wake On LAN.
@ -189,7 +186,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console.
- **Software available time**: Select **Specific time** to specify when the software updates will be available to clients:
- **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded.
- **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment isn't available for installation until after the specified date and time are reached and the required content has been downloaded.
- **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment.
@ -198,7 +195,7 @@ After you determine which feature updates you intend to deploy, you can manually
- **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window.
Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated.
Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients start downloading the content based on a randomized time. The feature update won't be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation starts immediately when initiated.
7. On the User Experience page, configure the following settings:
- **User notifications**: Specify **Display in Software Center and show all notifications**.
@ -214,25 +211,25 @@ After you determine which feature updates you intend to deploy, you can manually
>[!NOTE]
>When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window.
- **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window.
8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page.
>[!NOTE]
>You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace.
9. On the Download Settings page, configure the following settings:
- Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates isn't available on a preferred distribution point.
- **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates aren't available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
>[!NOTE]
>Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
11. Click **Next** to deploy the feature update(s).
>Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, select **Save As Template**, enter a name and select the settings that you want to include in the template, and then select **Save**. To change a configured setting, select the associated wizard page and change the setting.
11. Select **Next** to deploy the feature update(s).
### Step 4: Monitor the deployment status
After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status:
1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
2. Click the software update group or software update for which you want to monitor the deployment status.
3. On the **Home** tab, in the **Deployment** group, click **View Status**.
2. Select the software update group or software update for which you want to monitor the deployment status.
3. On the **Home** tab, in the **Deployment** group, select **View Status**.

30
windows/deployment/update/fod-and-lang-packs.md
View File

@ -1,21 +1,26 @@
---
title: Make FoD and language packs available for WSUS/Configuration Manager
description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
title: FoD and language packs for WSUS and Configuration Manager
description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.date: 03/13/2019
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
-<a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 03/13/2019
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
**Applies to**
This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows.
- Windows 10
- Windows 11
## Version information for Features on Demand and language packs
In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
@ -23,10 +28,15 @@ As of Windows 10 version 1709, you can't use Windows Server Update Services (WSU
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
## More resources
- [WSUS documentation](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
- [Configuration Manager documentation](/mem/configmgr/)

50
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -1,23 +1,22 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
description: Brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Windows client updates, channels, and tools
**Applies to**
- Windows 10
- Windows 11
This article provides a brief summary of the kinds of Windows updates, the channels they're served through, and the tools for managing them.
## How Windows updates work
There are four phases to the Windows update process:
@ -26,18 +25,18 @@ There are four phases to the Windows update process:
administrator. This process is invisible to the user.
- **Download:** Once the device determines that an update is available, it begins downloading the update. The download process is also invisible to the user. With feature updates, download happens in multiple
sequential phases.
- **Install:** After the update is downloaded, depending on the devices Windows Update settings, the update is installed on the system.
- **Install:** After the update is downloaded, depending on the device's Windows Update settings, the update is installed on the system.
- **Commit and restart:** Once installed, the device usually (but not always) must be restarted in order to complete the installation and begin using the update. Before that happens, a device is still running the previous
version of the software.
## Types of updates
We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage.
- **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates aren't necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they're installed or not.
- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
@ -50,13 +49,14 @@ The first step of controlling when and how devices install updates is assigning
### General Availability Channel
In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel installs a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
### Windows Insider Program for Business
Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are options within the Windows Insider Program for Business channel:
- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Release Preview
@ -73,12 +73,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |
| --- | --- | --- | --- |
| Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png) | ![no](images/crossmark.png)|
| Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Enterprise | ![yes.](images/checkmark.png) |![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Enterprise LTSC | ![no.](images/crossmark.png) |![no](images/crossmark.png) | ![yes](images/checkmark.png)|
| Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)|
| Home | Yes|No | No|
| Pro | Yes | Yes | No|
| Enterprise | Yes |Yes | No|
| Enterprise LTSC | No |No | Yes|
| Pro Education | Yes | Yes | No|
| Education | Yes | Yes | No|
## Servicing tools
@ -89,7 +89,7 @@ Windows Server Update Services (WSUS): you set up a WSUS server, which downloads
You can set up, control, and manage the server and update process with several tools:
- A standalone Windows Server Update Services server operated directly
- [Configuration Manager](deploy-updates-configmgr.md)
- Configuration Manager
- Non-Microsoft tools
For more information, see [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
@ -104,4 +104,4 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
It's also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.

69
windows/deployment/update/how-windows-update-works.md
View File

@ -1,47 +1,38 @@
---
title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
description: In this article, learn about the process Windows Update uses to download and install updates on Windows client devices.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# How Windows Update works
**Applies to**
- Windows 10
- Windows 11
The Windows Update workflow has four core areas of functionality:
### Scan
1. Orchestrator schedules the scan.
2. Orchestrator verifies admin approvals and policies for download.
### Download
1. Orchestrator starts downloads.
2. Windows Update downloads manifest files and provides them to the arbiter.
3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
4. Windows Update client downloads files in a temporary folder.
5. The arbiter stages the downloaded files.
### Install
1. Orchestrator starts the installation.
2. The arbiter calls the installer to install the package.
### Commit
1. Orchestrator starts a restart.
2. The arbiter finalizes before the restart.
1. Scan
1. Orchestrator schedules the scan.
1. Orchestrator verifies admin approvals and policies for download.
1. Download
1. Orchestrator starts downloads.
1. Windows Update downloads manifest files and provides them to the arbiter.
1. The arbiter evaluates the manifest and tells the Windows Update client to download files.
1. Windows Update client downloads files in a temporary folder.
1. The arbiter stages the downloaded files.
1. Install
1. Orchestrator starts the installation.
1. The arbiter calls the installer to install the package.
1. Commit
1. Orchestrator starts a restart.
1. The arbiter finalizes before the restart.
## How updating works
@ -52,7 +43,7 @@ During the updating process, the Windows Update Orchestrator operates in the bac
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
Make sure you're familiar with the following terminology related to Windows Update scan:
@ -61,8 +52,8 @@ Make sure you're familiar with the following terminology related to Windows Upda
|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. |
|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.|
|Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. |
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
|Online scan|Scan that uses the network and to check an update server. |
@ -80,7 +71,7 @@ Windows Update does the following actions when it runs a scan.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
- The scan first generates a ComApi message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
@ -88,9 +79,9 @@ When users start scanning in Windows Update through the Settings panel, the foll
![Windows Update scan log 1.](images/update-scan-log-1.png)
#### Proxy Behavior
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)):
- System proxy is attempted (set using the `netsh` command).
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it's the logged-in user).
> [!Note]
> For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
@ -130,13 +121,13 @@ Common update failure is caused due to network issues. To find the root of the i
> [!NOTE]
> If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service cant scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since its locally configured.
- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured.
![Windows Update scan log 3.](images/update-scan-log-3.png)
## Downloading updates
![Windows Update download step.](images/update-download-step.png)
Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.

17
windows/deployment/update/includes/wufb-reports-endpoints.md
View File

@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 04/06/2022
ms.date: 08/21/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-prerequisites.md and the update/update-compliance-configuration-manual.md articles. Headings are driven by article context. -->
@ -14,10 +14,11 @@ Devices must be able to contact the following endpoints in order to authenticate
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
| `https://adl.windows.com` | Required for Windows Update functionality. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
| `*v10c.events.data.microsoft.com` </br> </br> `eu-v10c.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) <!--8141818--> | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
| `umwatsonc.events.data.microsoft.com` </br> </br> `eu-watsonc.events.data.microsoft.com` for tenants with billing address in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
| `adl.windows.com` | Required for Windows Update functionality. |
| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
| `*.blob.core.windows.net` | Azure blob data storage.|

47
windows/deployment/update/index.md
View File

@ -1,47 +0,0 @@
---
title: Update Windows client in enterprise deployments
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client.
ms.prod: windows-client
author: mestew
manager: aaroncz
ms.localizationpriority: high
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Update Windows client in enterprise deployments
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly. It spreads out the required effort into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
## In this section
| Article | Description|
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. |
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Windows Update for Business reports](wufb-reports-overview.md) | Explains how to use Windows Update for Business reports to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. |
| [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage more Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows.

164
windows/deployment/update/media-dynamic-update.md
View File

@ -1,25 +1,23 @@
---
title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
description: Learn how to acquire and apply Dynamic Update packages to existing Windows images prior to deployment
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 05/09/2023
ms.reviewer: stevedia
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/17/2023
---
# Update Windows installation media with Dynamic Update
**Applies to**
- Windows 10
- Windows 11
This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
@ -29,7 +27,7 @@ Whenever installation of a feature update starts (whether from media or an envir
- Updates to Setup.exe binaries or other files that Setup uses for feature updates
- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
- Updates to the servicing stack necessary to complete the feature update (see [Servicing stack updates](servicing-stack-updates.md) for more information)
- Updates to the servicing stack necessary to complete the feature update For more information, see [Servicing stack updates](servicing-stack-updates.md).
- The latest cumulative (quality) update
- Updates to applicable drivers already published by manufacturers specifically intended for Dynamic Update
@ -39,20 +37,40 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
## Acquire Dynamic Update packages
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the needed files. The following tables show the key values to search for or look for in the results.
![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles.](images/update-catalog.png)
### Windows 11, version 22H2 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
|Safe OS Dynamic Update | YYYY-MM Safe OS Dynamic Update for Windows 11 Version 22H2 |
|Setup Dynamic Update | YYYY-MM Setup Dynamic Update for Windows 11 Version 22H2 |
|Latest cumulative update | YYYY-MM Cumulative Update for Windows 11 Version 22H2 |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
|To find this Dynamic Update packages, search for or check the results here |Title |Product |Description (select the **Title** link to see **Details**) |
|---------|---------|---------|---------|
|Safe OS Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update, Windows **Safe OS Dynamic Update** | ComponentUpdate: |
|Setup Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update | **SetupUpdate** |
|Latest cumulative update | 2019-08 **Cumulative Update for Windows 10** | Windows 10 | Install this update to resolve issues in Windows... |
|Servicing stack Dynamic Update | 2019-09 **Servicing Stack Update for Windows 10** | Windows 10... | Install this update to resolve issues in Windows... |
If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
### Windows 11, version 21H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Windows 11 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Windows 11 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Windows 11 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### For Windows 10, version 22H2 Dynamic Update packages
**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
|Safe OS Dynamic Update | YYYY-MM Dynamic Update for Windows 10 Version 22H2 |Windows Safe OS Dynamic Update | ComponentUpdate |
|Setup Dynamic Update | YYYY-MM Dynamic Update for Windows 10 Version 22H2 |Windows 10 and later Dynamic Update | SetupUpdate |
|Latest cumulative update | YYYY-MM Cumulative Update for Windows 10 Version 22H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 10 Version 22H2 | | |
If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, if Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
## Update Windows installation media
@ -63,56 +81,56 @@ Properly updating the installation media involves a large number of actions oper
- Windows operating system: one or more editions of Windows stored in \sources\install.wim
- Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
|---------|---------|---------|---------|------|
|Add servicing stack Dynamic Update | 1 | 9 | 18 |
|Add language pack | 2 | 10 | 19 |
|Add localized optional packages | 3 | 11 | |
|Add font support | 4 | 12 | |
|Add text-to-speech | 5 | 13 | |
|Update Lang.ini | | 14 | |
|Add Features on Demand | | | 20 |
|Add Safe OS Dynamic Update | 6 | | |
|Add Setup Dynamic Update | | | | 26
|Add setup.exe from WinPE | | | | 27
|Add boot manager from WinPE | | | | 28
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
|-----------------------------------|-------------------|------------------|--------------------------------|-----------|
|Add servicing stack Dynamic Update | 1 | 9 | 18 | |
|Add language pack | 2 | 10 | 19 | |
|Add localized optional packages | 3 | 11 | | |
|Add font support | 4 | 12 | | |
|Add text-to-speech | 5 | 13 | | |
|Update Lang.ini | | 14 | | |
|Add Features on Demand | | | 20 | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
|Add setup.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 15 | 21 | |
|Clean up the image | 7 | 16 | 22 | |
|Add Optional Components | | | 23 | |
|Add .NET and .NET cumulative updates | | | 24 | |
|Export image | 8 | 17 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
> Microsoft will remove the Flash component from Windows through KB4577586, Update for Removal of Adobe Flash Player. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, Update for Removal of Adobe Flash Player will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows. Its possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
The main operating system file (install.wim) contains multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure:
|Folder |Description |
|---------|---------|
|C:\mediaRefresh | Parent folder that contains the PowerShell script |
|C:\mediaRefresh\oldMedia | Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder. |
|C:\mediaRefresh\newMedia | Folder that will contain the updated media. It is copied from \oldMedia, then used as the target for all update and cleanup operations. |
|Folder |Description |
|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
|C:\mediaRefresh | Parent folder that contains the PowerShell script |
|C:\mediaRefresh\oldMedia | Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder. |
|C:\mediaRefresh\newMedia | Folder that will contain the updated media. It's copied from \oldMedia, then used as the target for all update and cleanup operations. |
### Get started
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
```powershell
#Requires -RunAsAdministrator
@ -126,8 +144,10 @@ $LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare media for FOD and LPs
# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
# Declare Dynamic Update packages
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
@ -144,24 +164,23 @@ $MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Mount the language pack ISO
Write-Output "$(Get-TS): Mounting LP ISO"
$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
# Declare language related cabs
$WINPE_OC_PATH = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -Name
$WINPE_OC_LP_PATH = "$WINPE_OC_LANG_PATH\lp.cab"
$WINPE_FONT_SUPPORT_PATH = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab"
$WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@ -199,7 +218,7 @@ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MO
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
# combined cumulative update can be installed.
@ -231,7 +250,7 @@ Catch
}
# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -288,7 +307,7 @@ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@ -301,7 +320,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@ -322,7 +341,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
# combined cumulative update can be installed.
@ -354,7 +373,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -415,7 +434,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
if ($IMAGE.ImageIndex -eq "2") {
@ -442,11 +461,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
For this next phase, there's no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
```powershell
#
@ -458,7 +477,7 @@ You can install Optional Components, along with the .NET feature, offline, but t
# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
# cases, the servicing stack update is not published separately; the combined cumulative update should be used for this step. However, in hopefully
# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
# and installed first before the combined cumulative update can be installed.
@ -471,7 +490,7 @@ Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
# update. This second approach is commented out below.
# Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -590,7 +609,6 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"

BIN
windows/deployment/update/media/7991583-update-seeker-enabled.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 151 KiB

43
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -1,43 +0,0 @@
---
title: Olympia Corp Retirement
description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022.
ms.author: lizlong
ms.topic: article
ms.prod: windows-client
author: lizgt2000
manager: aaroncz
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Olympia Corp
<!-- 6472736 -->
**Applies to**
- Windows 10
- Windows 11
## Retirement of Olympia Corp
Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses.</br>
Olympia will be formally retired on October 31, 2022.</br>
We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise.
> [!WARNING]
> To prevent data loss, Olympia participants need to complete the following:
> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses.
> - Please remove your device from Olympia before October 31, 2022.
To remove the account from Azure Active Directory, follow the steps below:
1. Open the **Settings** app.
1. Go to **Accounts** > **Access work or school**.
1. Select the connected account that you want to remove, then select **Disconnect**.
1. To confirm device removal, select **Yes**.
- After removing your account from Olympia, log in to your device using your local account.
- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register:
[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register)
<!-- https://learn.microsoft.com/en-us/windows-insider/business/register -->
Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions.

33
windows/deployment/update/optional-content.md
View File

@ -1,20 +1,21 @@
---
title: Migrating and acquiring optional Windows content
description: Keep language resources and Features on Demand during operating system updates
description: How to keep language resources and Features on Demand during operating system updates for your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 03/15/2023
---
# Migrating and acquiring optional Windows content during updates
***(Applies to: Windows 11 & Windows 10)***
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
@ -43,7 +44,7 @@ Windows Setup needs access to the optional content. Since optional content isn't
### User-initiated feature acquisition failure
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows acquires the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
## Options for acquiring optional content
@ -77,7 +78,7 @@ Consider moving to Windows Update for Business. Not only will the optional conte
Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates are included and current based on the month that the feature update was approved.
- Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
@ -94,9 +95,9 @@ If you're not ready to move to Windows Update, another option is to enable Dynam
- **Latest cumulative update**: Installs the latest cumulative quality update.
- **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
In addition to these updates for the new operating system, Dynamic Update acquires optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it fetches content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device reboots again for the latest cumulative update since it wasn't available during the feature update.
One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
@ -120,7 +121,7 @@ The benefit of this option is that the Windows image can include those additiona
A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
@ -134,12 +135,12 @@ Several of the options address ways to address optional content migration issues
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
- If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
## Learn more
## More resources
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
@ -156,11 +157,11 @@ For more information about the Unified Update Platform and the approaches outlin
## Sample scripts
Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so let's look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
### Creating an optional content repository
To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@ -573,7 +574,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
### Saving optional content in the source operating system
To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action limits the files to copy.
```powershell

24
windows/deployment/update/plan-define-readiness.md
View File

@ -1,26 +1,26 @@
---
title: Define readiness criteria
description: Identify important roles and figure out how to classify apps
description: Identify important roles and figure out how to classify apps so you can plan and manage your deployment
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Define readiness criteria
**Applies to**
- Windows 10
- Windows 11
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each activity. This article describes how to identify important roles and figure out how to classify apps.
## Figure out roles and personnel
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
@ -50,13 +50,9 @@ This table sketches out one view of the other roles, with their responsibilities
|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment |
## Set criteria for rating apps
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but arent critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren't critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
@ -78,7 +74,7 @@ Here's an example priority rating system; the specifics could vary for your orga
|---------|---------|
|1 | Any issues or risks identified must be investigated and resolved as soon as possible. |
|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. |
|3 | Start investigating risks and issues within 10 business days. You dont have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|3 | Start investigating risks and issues within 10 business days. You don't have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. |
Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.

34
windows/deployment/update/plan-define-strategy.md
View File

@ -1,45 +1,43 @@
---
title: Define update strategy
description: Two examples of a calendar-based approach to consistent update installation
description: Example of using a calendar-based approach to achieve consistent update installation in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Define update strategy with a calendar
**Applies to**
- Windows 10
- Windows 11
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows release cycles, update mechanisms, and relevant tools to support this model. For more information about the Windows lifecycle, see [Windows lifecycle FAQ](/lifecycle/faq/windows).
We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. The lifecycle cadence lets you allow some portion of your environment to move faster while the majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates.
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they stop receiving the monthly security updates once a version is out of support.
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
## Annual approach
Here's a calendar showing an example schedule that applies one Windows feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
[ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update.
This cadence might be most suitable for you if any of these conditions apply:
- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You're just starting your journey with the Windows servicing process. If you're unfamiliar with new processes that support Windows servicing, moving from a project happening once every three to five years to a feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
- You want to wait and see how successful other companies are at adopting a Windows feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months).
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change.

38
windows/deployment/update/plan-determine-app-readiness.md
View File

@ -1,37 +1,35 @@
---
title: Determine application readiness
manager: aaroncz
description: How to test your apps to know which need attention prior to deploying an update
description: How to test your apps to identify which need attention prior to deploying an update in your organization.
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.topic: conceptual
ms.author: mstewart
author: mestew
ms.technology: itpro-updates
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Determine application readiness
**Applies to**
- Windows 10
- Windows 11
Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization.
## Validation methods
You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
You can choose from various methods to validate apps. Exactly which ones to use depends on the specifics of your environment.
|Validation method |Description |
|---------|---------|
|Full regression | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application theyre validating. |
|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and arent handled by enterprise application distribution. |
|Full regression | A full quality assurance probing. Staff that know the application well and can validate its core functionality should do this validation. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they're validating. |
|Automated testing | Software performs tests automatically. The software lets you know whether the tests have passed or failed, and provides detailed reporting for you automatically. |
|Test in pilot | You preselect users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren't handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:
@ -46,7 +44,7 @@ Combining the various validation methods with the app classifications you've pre
### Identify users
Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you have to choose which users are best suited for validation testing. Some factors to consider include:
- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
@ -56,10 +54,10 @@ You could seek volunteers who enjoy working with new features and include them i
### Identify and set up devices for validation
In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection includes devices representing all of the hardware models in your environment.
There is more than one way to choose devices for app validation:
There's more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Manual selection**: Some internal groups like operations have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.

48
windows/deployment/update/prepare-deploy-windows.md
View File

@ -2,28 +2,26 @@
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Prepare to deploy Windows
**Applies to**
- Windows 10
- Windows 11
Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items:
Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase left you with these useful items:
- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md)
- A plan for [testing and validating](plan-determine-app-readiness.md) apps
- An assessment of your [deployment infrastructure](eval-infra-tools.md) and definitions for operational readiness
- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use
- A [deployment plan](create-deployment-plan.md) that defines the rings you want to use
Now you're ready to actually start making changes in your environment to get ready to deploy.
@ -33,26 +31,26 @@ Now you're ready to actually start making changes in your environment to get rea
- Update non-Microsoft security tools like security agents or servers.
- Update non-Microsoft management tools like data loss prevention agents.
Your infrastructure probably includes many different components and tools. Youll need to ensure your environment isnt affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
Your infrastructure probably includes many different components and tools. You need to ensure your environment isn't affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
1. Review all of the infrastructure changes that youve identified in your plan. Its important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
1. Review all of the infrastructure changes that you've identified in your plan. It's important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
2. Validate your changes. Youll validate the changes for your infrastructures components and tools, to help you understand how your changes could affect your production environment.
2. Validate your changes. You validate the changes for your infrastructure's components and tools, to help you understand how your changes could affect your production environment.
3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
You should also look at your organizations environments configuration and outline how youll implement any necessary changes previously identified in the plan phase to support the update. Consider what youll need to do for the various settings and policies that currently underpin the environment. For example:
You should also look at your organization's environment's configuration and outline how you'll implement any necessary changes previously identified in the plan phase to support the update. Consider what you need to do for the various settings and policies that currently underpin the environment. For example:
- Implement new draft security guidance. New versions of Windows can include new features that improve your environments security. Your security teams will want to make appropriate changes to security-related configurations.
- Implement new draft security guidance. New versions of Windows can include new features that improve your environment's security. Your security teams will want to make appropriate changes to security-related configurations.
- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
However, your configuration will consist of many different settings and policies. Its important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isnt affected adversely because of changes you make. For example:
However, your configuration will consist of many different settings and policies. It's important to only apply changes where they're necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that slow down the update process. You want to ensure your environment isn't affected adversely because of changes you make. For example:
1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
1. Review new security settings. Your security team reviews the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
2. Review security baselines for changes. Security teams also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
@ -142,9 +140,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
- Compact the operating system by running **Compact.exe /CompactOS:always**.
- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
- Remove Windows Features on Demand that the user doesn't need. For more information, see [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities).
- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy) for more information.
- Move Windows Known Folders to OneDrive. For more information, see [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy).
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
@ -167,9 +165,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
## Prepare capability
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You need to complete these higher-level tasks to gain those new capabilities:
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates.
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions come with new policies that you use to update ADMX templates.
- Validate new changes to understand how they affect the wider environment.
@ -177,12 +175,12 @@ In the plan phase, you determined the specific infrastructure and configuration
## Prepare users
Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
Users often feel like they're forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
You can employ a variety of measures to achieve this goal, for example:
You can employ various measures to achieve this goal, for example:
- Send overview email about the update and how it will be deployed to the entire organization.
- Send personalized emails to users about the update with specific details.
- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
- Provide the ability to voluntarily update at users convenience.
- Provide the ability to voluntarily update at users' convenience.
- Inform users of a mandatory installation date when the update will be installed on all devices.

38
windows/deployment/update/release-cycle.md
View File

@ -1,19 +1,21 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle ofupdates for Windows clients to stay productive and protected.
description: Learn about the release cycle forupdates so Windows clients in your organization stay productive and protected.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/19/2023
---
# Update release cycle for Windows clients
<!--7696511-->
***(Applies to: Windows 11 & Windows 10)***
Windows updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Updates for the Windows client OS are typically cumulative. They include all previously released fixes to guard against fragmentation of the operating system. Reliability and vulnerability issues can occur when only a subset of fixes is installed.
@ -23,11 +25,11 @@ This article provides details on the types of updates that Microsoft provides, a
|Release type | Description | Release cycle |
|---|---|---|
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and nonsecurity content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional nonsecurity preview release](#optional-nonsecurity-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional nonsecurity preview release then in the monthly security update releases |
## Monthly security update release
@ -42,7 +44,7 @@ Most people are familiar with the **monthly security update release**. The **mon
- Latest cumulative update (LCU)
**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with non-security content introduced in the prior month's [**Optional non-security preview release**](#optional-non-security-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with nonsecurity content introduced in the prior month's [**Optional nonsecurity preview release**](#optional-nonsecurity-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
Monthly security update releases are available through the following channels:
@ -52,11 +54,11 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
## Optional non-security preview release
## Optional nonsecurity preview release
**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional non-security preview releases** might commonly be referred to as:
**Optional nonsecurity preview releases** might commonly be referred to as:
- C or D week releases (meaning the third or fourth week of the month)
- Preview updates
@ -64,9 +66,9 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con
- LCU preview
> [!Important]
> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
> Starting in April 2023, all **optional nonsecurity preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
To access the optional non-security preview release:
To access the optional nonsecurity preview release:
- Navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
@ -78,16 +80,16 @@ To access the optional non-security preview release:
Some key considerations about OOB releases include:
- OOB releases are always cumulative.
- OOB releases supersede any prior monthly security update and optional non-security preview release.
- OOB releases supersede any prior monthly security update and optional nonsecurity preview release.
- OOB releases generally require IT admins to deploy off-cycle.
- Some OOB releases are classified as critical.
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as non-critical.
- Non-critical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
## Continuous innovation for Windows 11
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional nonsecurity preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:

24
windows/deployment/update/safeguard-holds.md
View File

@ -1,31 +1,29 @@
---
title: Safeguard holds
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
title: Safeguard holds for Windows
description: What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Safeguard holds
**Applies to**
- Windows 10
- Windows 11
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update resumes offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
@ -37,11 +35,11 @@ IT admins can use [Windows Update for Business reports](wufb-reports-overview.md
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users see a message.
![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we release the safeguard hold so the update can resume safely.
## What can I do?

29
windows/deployment/update/safeguard-opt-out.md
View File

@ -1,38 +1,35 @@
---
title: Opt out of safeguard holds
description: Steps to install an update even it if has a safeguard hold applied
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/21/2020
---
# Opt out of safeguard holds
**Applies to**
- Windows 10
- Windows 11
Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
## How can I opt out of safeguard holds?
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11.
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running the following operating systems:
- Windows 11
- Windows 10, version 1809, or later, with the October 2020 security update.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues.
> [!NOTE]
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsofts default protection from known issues for each new feature update.
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.

29
windows/deployment/update/servicing-stack-updates.md
View File

@ -2,29 +2,26 @@
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.technology: itpro-updates
ms.localizationpriority: high
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server </a>
ms.date: 12/31/2017
---
# Servicing stack updates
**Applies to**
- Windows 10
- Windows 11
- Windows Server
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
@ -34,8 +31,6 @@ Servicing stack updates improve the reliability of the update process to mitigat
Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
>[!NOTE]
>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
## What's the difference between a servicing stack update and a cumulative update?
@ -49,18 +44,18 @@ Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Installing servicing stack update doesn't require restarting the device, so installation shouldn't be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
* Once a servicing stack update is installed, it can't be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.

20
windows/deployment/update/update-baseline.md
View File

@ -1,35 +1,35 @@
---
title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
title: Windows 10 Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals in your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Update Baseline
**Applies to:** Windows 10
> [!NOTE]
> Update Baseline is not currently available for Windows 11.
> Update Baseline isn't currently available for Windows 11.
With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
## Why is Update Baseline needed?
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you are just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
## You can use Update Baseline to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
Update Baseline doesn't affect your offering policies, whether youre using deferrals or target version to manage which updates are offered to your devices and when.
Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when.
## Policies included in the Update Baseline

75
windows/deployment/update/update-policies.md
View File

@ -1,23 +1,21 @@
---
title: Policies for update compliance, activity, and user experience
description: Explanation and recommendations for settings
title: Policies for update compliance and user experience
description: Explanation and recommendations for update compliance, activity, and user experience for your organization.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Policies for update compliance, activity, and user experience
**Applies to**
- Windows 10
- Windows 11
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@ -30,7 +28,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s
Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709
and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
The older policies started enforcing deadlines once the device reached a restart pending state for
The older policies started enforcing deadlines once the device reached a `restart pending` state for
an update. The new policy starts the countdown for the update installation deadline from when the
update is published plus any deferral. In addition, this policy includes a configurable grace period and the option
to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic
@ -42,7 +40,7 @@ We recommend you set deadlines as follows:
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you
do **not** set any notification policies, because they're automatically configured with appropriate defaults. An exception is if you
have kiosks or digital signage.
While three days for quality updates and seven days for feature updates is our recommendation, you might decide
@ -57,7 +55,7 @@ to a minimum of two days.
### Grace periods
You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This
is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not
is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device won't
be forced to update immediately when the user returns.
We recommend you set the following:
@ -79,15 +77,15 @@ automatic restart. To take advantage of this feature, ensure **ConfigureDeadline
Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two
of continuous activity, in order to successfully complete a system update. The device could have other
physical circumstances that prevent successful installation of an update--for example, if a laptop is running low
on battery power, or the user has shut down the device before active hours end and the device cannot comply
on battery power, or the user has shut down the device before active hours end and the device can't comply
with the deadline.
You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period.
You can use the settings in this section to ensure that devices are available to install updates during the update compliance period.
### Active hours
"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of
these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a users activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts occur outside of
these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user's activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update.
> [!IMPORTANT]
> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these
@ -96,14 +94,12 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While its possible to set the system to delay restarts for users who are logged
in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we
recommend setting the following polices to **Disabled**:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
- [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that
updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the users ability to delay a restart outside of compliance deadline settings.
- [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users receive notifications that
updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user's ability to delay a restart outside of compliance deadline settings.
- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**:
- [Update/RequireUpdateApproval](/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval)
@ -113,8 +109,8 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates)
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If youre using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service.
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@ -127,11 +123,11 @@ recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in
### Power policies
Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
Devices must actually be available during nonactive hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs:
To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
To a user, a device is either on or off, but for Windows, there are states that allow an update to occur (active) and states that don't (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update.
You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours.
You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during nonactive hours.
> [!NOTE]
> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode.
@ -139,13 +135,12 @@ You can override the default settings and prevent users from changing them in or
We recommend these power management settings:
- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system
appears to be off but if an update is available, it can wake the device up in order to take an update. The
appears to be off but if an update is available, it can wake up the device in order to take an update. The
power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest
power level before shutdown). When a device is not being used, the system will generally move to sleep
power level before shutdown). When a device isn't being used, the system will generally move to sleep
mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is
too short and Windows does not have time to complete an update. Sleep mode is an important setting
because the system can wake the system from sleep in order to start the update process, as long as there
is enough power.
too short and Windows doesn't have time to complete an update. Sleep mode is an important setting
because the system can wake the system from sleep in order to start the update process, as long as there's enough power.
Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode:
- [Power/AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery)
@ -156,15 +151,15 @@ sleep mode and the device has an opportunity to take an update:
- [Power/SelectLidCloseActionOnBattery](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin)
- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up
without user intervention, like pressing the power button. If a device is in this state, it cannot be updated
- **Hibernate**. When a device is hibernating, power consumption is low and the system can't wake up
without user intervention, like pressing the power button. If a device is in this state, it can't be updated
unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep
(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete.
(S3) is plugged in, and a Windows update is available, a hibernate state is delayed until the update is complete.
> [!NOTE]
> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates).
The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
The default timeout on devices that support traditional sleep is set to three hours. We recommend that you don't reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation:
- [Power/HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery)
- [Power/HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin)
@ -177,7 +172,7 @@ Each release of Windows client can introduce new policies to make the experience
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface.
As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
@ -192,11 +187,11 @@ As administrators, you have set up and expect certain behaviors, so we expressly
The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict:
- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no
deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature
deferral) so that the feature update can complete and monthly security updates are offered again. Even if there's an urgent quality update that must be quickly deployed, it's best to use **Pause Feature
Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update.
- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days.
- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
There are additional policies are no longer supported or have been superseded.
There are also additional policies are no longer supported or have been superseded.

27
windows/deployment/update/waas-branchcache.md
View File

@ -2,31 +2,28 @@
title: Configure BranchCache for Windows client updates
description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Configure BranchCache for Windows client updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
>Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
> [!TIP]
> Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
@ -36,7 +33,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
@ -44,8 +41,8 @@ You can use WSUS and Configuration Manager with BranchCache in Distributed Cache
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
In addition to these steps, there's one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
>[!NOTE]
>Configuration Manager only supports Distributed Cache mode.
> [!NOTE]
> Configuration Manager only supports Distributed Cache mode.

67
windows/deployment/update/waas-configure-wufb.md
View File

@ -6,22 +6,21 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
ms.topic: conceptual
ms.technology: itpro-updates
ms.date: 05/19/2023
ms.collection:
- tier1
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
ms.date: 08/22/2023
---
# Configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> [!NOTE]
@ -162,7 +161,7 @@ In cases where the pause policy is first applied after the configured start date
| MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
You can check the date that quality updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) won't reflect whether the quality update pause period has expired. Although the device will resume quality updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
@ -210,6 +209,43 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
<!--7991583-->
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
:::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png":::
The following options are available for the policy:
- **Automatically receive optional updates (including CFRs)**:
- The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
- The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
- Devices will receive CFRs in early phases of the rollout.
- **Automatically receive optional updates**:
- The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
- The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
- **Users can select which optional updates to receive**:
- Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
- Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
- CFRs are offered to the device, but not necessarily in the early phases of the rollout.
- Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
- The device will receive CFRs in early phases of the rollout.
- Optional updates are automatically installed on the device.
- **Not configured** (default):
- Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
**Policies to enable optional updates**
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: </br>./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
<!--6544872-->
@ -221,8 +257,8 @@ The features that are behind temporary enterprise feature control will be enable
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
| GPO for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
| MDM for Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>./Device/Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later
@ -233,6 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
| AllowOptionalContent</br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
@ -248,6 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
| AllowOptionalContent </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs)</br> 2: Automatically receive optional updates </br> 3: Users can select which optional updates to receive </br> Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl </br> </br>*Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled.</br> Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br>32: Systems take feature updates from General Availability Channel </br>Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
@ -272,3 +310,4 @@ When a device running a newer version sees an update available on Windows Update
| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
| PauseQualityUpdates | PauseQualityUpdatesStartTime |

33
windows/deployment/update/waas-integrate-wufb.md
View File

@ -2,23 +2,20 @@
title: Integrate Windows Update for Business
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Integrate Windows Update for Business with management solutions
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
@ -28,8 +25,8 @@ You can integrate Windows Update for Business deployments with existing manageme
For Windows 10, version 1607 and later, devices can be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
- Devices receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows won't follow your Windows Update for Business deferral policies
### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
@ -37,9 +34,9 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
- Device is configured to defer Windows quality updates using Windows Update for Business
- Device is also configured to be managed by WSUS
- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Device isn't configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
- Admin has also put 3rd party drivers on WSUS
- Admin has also put third-party drivers on WSUS
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@ -70,12 +67,12 @@ For Windows 10, version 1607 and later, devices can be configured to receive upd
**Configuration:**
- Device is configured to defer quality updates using Windows Update for Business and to be managed by WSUS
- Device is configured to receive updates for other Microsoft products along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Device is configured to **receive updates for other Microsoft products** along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, non-Microsoft, and locally published update content on the WSUS server
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS weren't enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies aren't applied.
|Content|Metadata source|Payload source|Deferred?|
|--- |--- |--- |--- |
@ -90,9 +87,9 @@ In this example, the deferral behavior for updates to Office and other non-Windo
## Integrate Windows Update for Business with Microsoft Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices are visible in the Configuration Manager console, however they appear with a detection state of **Unknown**.
:::image type="content" alt-text="Example of unknown devices." source="images/wufb-sccm.png" lightbox="images/wufb-sccm.png":::
For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
For more information, see [Integration with Windows Update for Business in Windows 10](/mem/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10).

123
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -1,33 +1,31 @@
---
title: Deploy Windows client updates using Windows Server Update Services
title: Deploy updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 12/31/2017
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when theyre delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If youre currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
@ -46,7 +44,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720448(v=ws.10)).
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services).
@ -68,19 +66,19 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
4. In the **New GPO** dialog box, name the new GPO **WSUS Auto Updates and Intranet Update Service Location**.
4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**.
5. Right-click the **WSUS Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**.
![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**.
![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
@ -88,7 +86,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
@ -117,13 +115,13 @@ You can use computer groups to target a subset of devices that have specific qua
1. Open the WSUS Administration Console.
2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**.
![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When youre finished, there should be three deployment ring groups.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups.
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
@ -143,15 +141,15 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you'll likely have many computers here.
2. Select both computers, right-click the selection, and then click **Change Membership**.
2. Select both computers, right-click the selection, and then select **Change Membership**.
![Select Change Membership in the UI.](images/waas-wsus-fig8.png)
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then select **OK**.
Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you'll see both computers there.
### Search for multiple computers to add to groups
@ -159,15 +157,15 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
**To search for multiple computers**
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then select **Search**.
2. In the search box, type **WIN10**.
3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
3. In the search results, select the computers, right-click the selection, and then select **Change Membership**.
![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**.
You can now see these computers in the **Ring 3 Broad IT** computer group.
@ -180,11 +178,11 @@ The WSUS Administration Console provides a friendly interface from which you can
**To configure WSUS to allow client-side targeting from Group Policy**
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**.
![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**.
>[!NOTE]
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
@ -194,23 +192,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
**To configure client-side targeting**
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you dont add computers to the incorrect rings.
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don't add computers to the incorrect rings.
1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
3. Right-click *Your_Domain*, and then select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **WSUS Client Targeting Ring 4 Broad Business Users** for the name of the new GPO.
4. In the **New GPO** dialog box, type **WSUS - Client Targeting - Ring 4 Broad Business Users** for the name of the new GPO.
5. Right-click the **WSUS Client Targeting Ring 4 Broad Business Users** GPO, and then click **Edit**.
5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**.
![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click **Enable client-side targeting**, and then click **Edit**.
7. Right-click **Enable client-side targeting**, and then select **Edit**.
8. In the **Enable client-side targeting** dialog box, select **Enable**.
@ -223,23 +221,23 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
10. Close the Group Policy Management Editor.
Now youre ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
**To scope the GPO to a group**
1. In GPMC, select the **WSUS Client Targeting Ring 4 Broad Business Users** policy.
1. In GPMC, select the **WSUS - Client Targeting - Ring 4 Broad Business Users** policy.
2. Click the **Scope** tab.
2. Select the **Scope** tab.
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring.
## Automatically approve and deploy feature updates
For clients that should have their feature updates approved as soon as theyre available, you can configure Automatic Approval rules in WSUS.
For clients that should have their feature updates approved as soon as they're available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
@ -250,32 +248,32 @@ This example uses Windows 10, but the process is the same for Windows 11.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
2. On the **Update Rules** tab, click **New Rule**.
2. On the **Update Rules** tab, select **New Rule**.
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**.
5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**.
7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**.
![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
9. In the **Automatic Approvals** dialog box, click **OK**.
9. In the **Automatic Approvals** dialog box, select **OK**.
>[!NOTE]
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if youre using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you're using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
Now, whenever Windows client feature updates are published to WSUS, they'll automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
@ -291,17 +289,17 @@ To simplify the manual approval process, start by creating a software update vie
**To approve and deploy feature updates manually**
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, select **New Update View**.
2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
3. Under **Step 2: Edit the properties**, select **any classification**. Clear all check boxes except **Upgrades**, and then select **OK**.
4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**.
![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
@ -309,7 +307,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
2. Right-click the feature update you want to deploy, and then click **Approve**.
2. Right-click the feature update you want to deploy, and then select **Approve**.
![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)
@ -317,30 +315,17 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png)
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**.
![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png)
5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**.
If the deployment is successful, you should receive a successful progress report.
![A sample successful deployment.](images/waas-wsus-fig20.png)
6. In the **Approval Progress** dialog box, click **Close**.
</br>
## Steps to manage updates for Windows client
|&nbsp; |&nbsp; |
| --- | --- |
| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows client updates using Windows Server Update Services (this topic)</br>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
6. In the **Approval Progress** dialog box, select **Close**.

27
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -3,25 +3,21 @@ title: Windows Update for Business
manager: aaroncz
description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: overview
author: mestew
ms.author: mstewart
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# What is Windows Update for Business?
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
@ -37,7 +33,7 @@ Specifically, Windows Update for Business lets you control update offerings and
Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
### Manage deployment of Windows Updates
@ -62,10 +58,11 @@ You can control when updates are applied, for example by deferring when an updat
### Manage when updates are offered
You can defer or pause the installation of updates for a set period of time.
#### Enroll in pre-release updates
#### Enroll in prerelease updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates:
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Preview
@ -81,7 +78,7 @@ A Windows Update for Business administrator can defer the installation of both f
|---------|---------|
|Feature updates | 365 days |
|Quality updates | 30 days |
|Non-deferrable | none |
|Nondeferrable | none |
<!--Example: Using deferrals to deploy in waves
[Insert graphic with the deferrals set to different values showing a feature update rollout)-->
@ -107,7 +104,7 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
Windows Update for Business provides controls to help meet your organizations security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings

54
windows/deployment/update/waas-morenews.md
View File

@ -1,54 +0,0 @@
---
title: Windows as a service news & resources
description: The latest news for Windows as a service with resources to help you learn more about them.
ms.prod: windows-client
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: high
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Windows as a service - More news
Here's more news about [Windows as a service](windows-as-a-service.md):
<ul>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445">Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization </a> - June 25, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Updating-Windows-10-version-1903-using-Configuration-Manager-or/ba-p/639100">Updating Windows 10, version 1903 using Configuration Manager or WSUS</a> - May 23, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064">What's new in Windows Update for Business in Windows 10, version 1903</a> - May 21, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024">What's new for IT pros in Windows 10, version 1903</a> - May 21, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update">How to get the Windows 10 May 2019 Update</a> - May 21, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-benefits-of-Windows-10-Dynamic-Update/ba-p/467847">The benefits of Windows 10 Dynamic Update</a> - April 17, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency">Improving the Windows 10 update experience with control, quality and transparency</a> - April 4, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Call-to-action-review-your-Windows-Update-for-Business-deferral/ba-p/394244">Call to action: review your Windows Update for Business deferral values</a> - April 3, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
<li><a href="https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What&#39;s next for Windows 10 and Windows Server quality updates</a> - August 16, 2018</li>
<li><a href="https://www.youtube.com/watch?v=BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (<strong>video</strong>)</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018</li>
<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018</li>
<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the disappearing SAC-T</a> - May 31, 2018
<li><a href="https://www.youtube.com/watch?v=EVzFIg_MhaE&t=5s">Manage update download size using Windows as a service</a> - March 30, 2018</li>
</ul>

41
windows/deployment/update/waas-overview.md
View File

@ -2,39 +2,36 @@
title: Overview of Windows as a service
description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: overview
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: overview
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Overview of Windows as a service
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows as a service is a way to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
## Building
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesnt work in todays rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two times per year, around March and September, to help address these issues.
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn't work in today's rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges.
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features are delivered to the [Windows Insider community](/windows-insider/business/register) as soon as possible, during the development cycle, through a process called *flighting*. Organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
Of course, Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
## Deploying
@ -43,13 +40,13 @@ Deploying Windows 10 and Windows 11 is simpler than with previous versions of Wi
### Application compatibility
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds.
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. Application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously over older versions of Windows. For the most important business-critical applications, organizations should still perform testing regularly to validate compatibility with new builds.
## Servicing
Traditional Windows servicing has included several release types: major revisions (for example, the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10 and Windows 11, there are two release types: feature updates that add new functionality and quality updates that provide security and reliability fixes.
Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that leverages servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
Servicing channels are the first way to separate users into deployment groups for feature and quality updates. For more information about developing a deployment strategy that uses servicing channels, see [Plan servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool, see [Servicing tools](#servicing-tools).
@ -58,7 +55,7 @@ There are three servicing channels, each of which provides different levels of f
There are currently three release channels for Windows clients:
- The **General Availability Channel** receives feature updates as soon as they are available.
- The **General Availability Channel** receives feature updates as soon as they're available.
- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- The **Windows Insider Program** provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update.
@ -75,9 +72,9 @@ New features are packaged into feature updates that you can deploy using existin
### Quality updates
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didnt, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn't, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous months update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
Rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators see one cumulative monthly update that supersedes the previous month's update, containing both security and non-security fixes. This approach makes updating simpler and ensures that devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from updates.
## Servicing channels
@ -88,9 +85,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
### General Availability Channel
In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you'll be able to choose the timing at which it goes into broad deployment.
When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel is available but not necessarily immediately mandatory, depending on the policy of the management system. For more information about servicing tools, see [Servicing tools](#servicing-tools).
> [!NOTE]
@ -102,7 +99,7 @@ When Microsoft officially releases a feature update, we make it available to any
### Long-term Servicing Channel
Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and dont need feature updates as frequently as other devices in the organization. Its more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don't need feature updates as frequently as other devices in the organization. It's more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Enterprise LTSC devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSC clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
> [!NOTE]
>
@ -113,12 +110,12 @@ Microsoft never publishes feature updates through Windows Update on devices that
> [!NOTE]
> LTSC releases will support the currently released processors and chipsets at the time of release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](/lifecycle/faq/windows).
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesnt include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in the Enterprise LTSC editions, even if you install by using sideloading.
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn't include some applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps aren't supported in the Enterprise LTSC editions, even if you install by using sideloading.
### Windows Insider
For many IT pros, gaining visibility into feature updates early--before theyre available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
For many IT pros, gaining visibility into feature updates early can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/business/register).

27
windows/deployment/update/waas-quick-start.md
View File

@ -2,38 +2,35 @@
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: high
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Quick guide to Windows as a service
**Applies to**
- Windows 10
- Windows 11
Here is a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
Here's a quick guide to the most important concepts in Windows as a service. For more information, see the [extensive set of documentation](index.md).
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Quality updates** deliver both security and nonsecurity fixes. They're typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they're important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **General Availability Channel** receives feature updates annually.
- The **Long-Term Servicing Channel**, which is meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
For more information, see [Overview of Windows as a service](waas-overview.md).
For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md).
@ -41,15 +38,15 @@ For some interesting in-depth information about how cumulative updates work, see
With each release in the General Availability Channel, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion.
Windows 10 Enterprise LTSC are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
Windows Enterprise LTSC versions are separate **Long-Term Servicing Channel** versions. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
For more information, see [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md).
## Staying up to date
To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
Extensive advanced testing isn't required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.

79
windows/deployment/update/waas-restart.md
View File

@ -1,36 +1,33 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Manage device restarts after updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
@ -40,25 +37,25 @@ For a detailed description of these registry keys, see [Registry keys used to ma
## Delay automatic reboot
When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation:
When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Configure active hours
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
Administrators can use multiple ways to set active hours for managed devices:
@ -78,7 +75,7 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client
### Configuring active hours through Registry
This method is not recommended, and should only be used when you can't use Group Policy or MDM.
This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
Configure active hours by setting a combination of the following registry values:
@ -102,7 +99,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
## Control restart notifications
@ -120,15 +117,15 @@ Starting in Windows 11, version 22H2, **Apply only during active hours** was add
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
### Auto-restart notifications
### Auto restart notifications
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes.
You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
@ -141,20 +138,20 @@ To do so through Group Policy, go to **Computer Configuration\Administrative Tem
To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
### Scheduled auto-restart warnings
### Scheduled auto restart warnings
Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
### Engaged restart
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
* Period of time before auto-restart transitions to engaged restart.
* Period of time before auto restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
@ -164,17 +161,17 @@ In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-manage
## Group Policy settings for restart
In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
| Turn off auto-restart for updates during active hours | ![yes.](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | ![yes.](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | ![yes.](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | ![yes.](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| Re-prompt for restart with scheduled installations | ![no.](images/crossmark.png) | |
| Delay Restart for scheduled installations | ![no.](images/crossmark.png) | |
| Reschedule Automatic Updates scheduled installations | ![no.](images/crossmark.png) | |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| Re-prompt for restart with scheduled installations | No | |
| Delay Restart for scheduled installations | No | |
| Reschedule Automatic Updates scheduled installations | No | |
>[!NOTE]
@ -190,8 +187,8 @@ The following tables list registry values that correspond to the Group Policy se
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
@ -201,8 +198,8 @@ The following tables list registry values that correspond to the Group Policy se
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates</br>3: automatically download and notify for installation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on</br>1: don't reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
There are three different registry combinations for controlling restart behavior:
@ -210,7 +207,7 @@ There are three different registry combinations for controlling restart behavior
- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
## Related articles
## More resources
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)

34
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -1,24 +1,20 @@
---
title: Assign devices to servicing channels for Windows client updates
title: Assign devices to servicing channels for updates
description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Assign devices to servicing channels for Windows 10 updates
**Applies to**
- Windows 10
- Windows 11
# Assign devices to servicing channels for Windows updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -29,12 +25,12 @@ The General Availability Channel is the default servicing channel for all Window
| Edition | General Availability Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- |
| Home | ![no.](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Pro | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise LTSC | ![no.](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
| Pro Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Home | No | No | Yes |
| Pro | Yes | No | Yes |
| Enterprise | Yes | No | Yes |
| Enterprise LTSC | No | Yes | No |
| Pro Education | Yes | No | Yes |
| Education | Yes | No | Yes |
>[!NOTE]
@ -46,7 +42,7 @@ The General Availability Channel is the default servicing channel for all Window
## Enroll devices in the Windows Insider Program
To get started with the Windows Insider Program for Business, follows these steps:
To get started with the Windows Insider Program for Business, follow these steps:
1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.

32
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -2,40 +2,36 @@
title: Prepare a servicing strategy for Windows client updates
description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Prepare a servicing strategy for Windows client updates
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Heres an example of what this process might look like:
Here's an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before theyre available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that youre looking for feedback rather than people to just try it out and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for ADMX download for Windows build xxxx. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Choose a servicing tool.** Decide which product youll use to manage the Windows updates in your environment. If youre currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product youll use, consider how youll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier Configure test devices step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but its still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the Recruit volunteers step of the previous section. Be sure to communicate clearly that youre looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you dont prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.

13
windows/deployment/update/waas-wu-settings.md
View File

@ -1,23 +1,24 @@
---
title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update.
description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
ms.prod: windows-client
ms.localizationpriority: medium
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 04/25/2023
---
# Manage additional Windows Update settings
***(Applies to: Windows 11 & Windows 10)***
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.

21
windows/deployment/update/waas-wufb-csp-mdm.md
View File

@ -2,23 +2,20 @@
title: Configure Windows Update for Business by using CSPs and MDM
description: Walk through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/28/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -176,9 +173,9 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) Use the default Windows Update notifications<br/>
**1** Turn off all notifications, excluding restart warnings<br/>
**2** Turn off all notifications, including restart warnings
**0** (default) - Use the default Windows Update notifications<br/>
**1** - Turn off all notifications, excluding restart warnings<br/>
**2** - Turn off all notifications, including restart warnings
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.

57
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -1,28 +1,28 @@
---
title: Configure Windows Update for Business via Group Policy
description: Walk through of how to configure Windows Update for Business settings using Group Policy.
description: Walk through of how to configure Windows Update for Business settings using Group Policy to update devices.
ms.prod: windows-client
ms.technology: itpro-updates
manager: aaroncz
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.collection:
- highpri
- tier2
manager: aaroncz
ms.topic: how-to
ms.technology: itpro-updates
ms.date: 02/28/2023
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
ms.date: 08/22/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
## Overview
@ -195,11 +195,42 @@ Still more options are available in **Computer Configuration > Administrative Te
Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to Pause updates**.
When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all Windows Update features**.
#### I want to enable optional updates
<!--7991583-->
(*Starting in Windows 11, version 22H2 or later*)
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](waas-configure-wufb.md#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
The following options are available for the policy:
- **Automatically receive optional updates (including CFRs)**:
- The latest optional nonsecurity updates and CFRs are automatically installed on the device. The quality update deferral period is applied to the installation of these updates.
- The **Get the latest updates as soon as they're available** option is selected and users can't change the setting.
- Devices will receive CFRs in early phases of the rollout.
- **Automatically receive optional updates**:
- The latest optional nonsecurity updates are automatically installed on the device but CFRs aren't. The quality update deferral period is applied to the installation of these updates.
- The **Get the latest updates as soon as they're available** option isn't selected and users can't change the setting.
- **Users can select which optional updates to receive**:
- Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
- Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
- CFRs are offered to the device, but not necessarily in the early phases of the rollout.
- Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
- The device will receive CFRs in early phases of the rollout.
- Optional updates are automatically installed on the device.
- **Not configured** (default):
- Optional updates aren't installed on the device and the **Get the latest updates as soon as they're available** option is disabled.
#### I want to enable features introduced via servicing that are off by default
<!--6544872-->
(*Starting in Windows 11, version 22H2 or later*)

106
windows/deployment/update/windows-as-a-service.md
View File

@ -1,106 +0,0 @@
---
title: Windows as a service
ms.prod: windows-client
ms.topic: article
author: mestew
ms.author: mstewart
description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
manager: aaroncz
ms.localizationpriority: high
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Windows as a service
Find the tools and resources you need to help deploy and support Windows as a service in your organization.
## Latest news, videos, & podcasts
Find the latest and greatest news on Windows 10 deployment and servicing.
**Discovering the Windows 10 Update history pages**
> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY]
Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the [Windows release health dashboard](/windows/release-health/) for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout.
The latest news:
- [How to get Extended Security Updates for eligible Windows devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807) - October 17, 2019
- [End of service reminders for Windows 10, versions 1703 and 1803](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715) - October 9, 2019
- [Using machine learning to improve the Windows 10 update experience](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860) - September 26, 2019
- [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054) - September 24, 2019
- [New extended support dates for MDOP tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312) - September 4, 2019
- [FastTrack for Windows 10 deployment and other migration resources](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406) - August 12, 2019
- [Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) - July 10, 2019
- [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126) - July 9, 2019
- [Moving to the next Windows 10 feature update for commercial customers](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968) - July 1, 2019
[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog).
## IT pro champs corner
Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
<img src="images/champs-2.png" alt="Champs" width="640" height="320">
[**NEW** Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979)
[**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445)
[Deployment rings: The hidden [strategic] gem of Windows as a service](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622)
[Classifying Windows updates in common deployment tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175)
[Express updates for Windows Server 2016 re-enabled for November 2018 update](/windows-server/get-started/express-updates)
[2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/)
[What is Windows Update for Business?](waas-manage-updates-wufb.md)
## Discover
Learn more about Windows as a service and its value to your organization.
<img src="images/discover-land.png" alt="Discover">
[Overview of Windows as a service](waas-overview.md)
[Quick guide to Windows as a service](waas-quick-start.md)
[What's new in Windows 10 deployment](../deploy-whats-new.md)
[Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios)</font>
## Plan
Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
<img src="images/plan-land.png" alt="Plan" />
[Simplified updates](https://www.microsoft.com/windowsforbusiness/simplified-updates)
[Windows 10 end user readiness](https://www.microsoft.com/itpro/windows-10/end-user-readiness)
[Ready for Windows](https://developer.microsoft.com/windows/ready-for-windows#/)
[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
[Preparing your organization for a seamless Windows 10 deployment](https://www.microsoft.com/itshowcase/windows10deployment)
## Deploy
Secure your organization's deployment investment.
<img src="images/deploy-land.png" alt="Deploy" />
[Update Windows 10 in the enterprise](index.md)
[Deploying as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade)
[Configure Windows Update for Business](waas-configure-wufb.md)
[Express update delivery](../do/waas-optimize-windows-10-updates.md#express-update-delivery)
[Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md)

541
windows/deployment/update/windows-update-error-reference.md
View File

@ -2,95 +2,92 @@
title: Windows Update error code list by component
description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/18/2018
ms.topic: article
ms.technology: itpro-updates
---
# Windows Update error codes by component
**Applies to**
- Windows 10
- Windows 11
This section lists the error codes for Microsoft Windows Update.
## Automatic Update Errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------|
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| `0x8024A000` | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. |
| `0x8024A002` | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. |
| `0x8024A003` | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. |
| `0x8024A004` | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. |
| `0x8024A005` | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. |
| `0x8024AFFF` | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. |
## Windows Update UI errors
| Error code | Message | Description |
|------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. |
| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. |
| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. |
| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. |
| `0x80243001` | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation couldn't be read from the registry due to an unrecognized data format version. |
| `0x80243002` | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation couldn't be read from the registry due to an invalid data format. |
| `0x80243003` | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation aren't available; the operation may have failed to start. |
| `0x80243004` | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. |
| `0x80243FFD` | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. |
| `0x80243FFE` | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. |
| `0x80243FFF` | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| `0x8024043D` | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property isn't available. |
## Inventory errors
| Error code | Message | Description |
|------------|--------------------------------------------|-------------------------------------------------------------------------------|
| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
| `0x80249001` | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. |
| `0x80249002` | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. |
| `0x80249003` | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. |
| `0x80249004` | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. |
| `0x80249005` | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. |
## Expression evaluator errors
| Error code | Message | Description |
|------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation could not be completed because an expression was unrecognized. |
| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation could not be completed because an expression was invalid. |
| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. |
| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. |
| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator could not be initialized. |
| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation could not be completed because there was an invalid attribute. |
| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. |
| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
| `0x8024E001` | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was unrecognized. |
| `0x8024E002` | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation couldn't be completed because an expression was invalid. |
| `0x8024E003` | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation couldn't be completed because an expression contains an incorrect number of metadata nodes. |
| `0x8024E004` | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation couldn't be completed because the version of the serialized expression data is invalid. |
| `0x8024E005` | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator couldn't be initialized. |
| `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. |
| `0x8024E007` | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. |
| `0x8024EFFF` | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. |
## Reporter errors
| Error code | Message | Description |
|------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation could not be completed because the scan package was invalid. |
| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. |
| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor could not be parsed. |
| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor could not be parsed. |
| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
| `0x80247001` | `WU_E_OL_INVALID_SCANFILE` | An operation couldn't be completed because the scan package was invalid. |
| `0x80247002` | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation couldn't be completed because the scan package requires a greater version of the Windows Update Agent. |
| `0x80247FFF` | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. |
| `0x8024F001` | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. |
| `0x8024F002` | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor couldn't be parsed. |
| `0x8024F003` | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor couldn't be parsed. |
| `0x8024F004` | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. |
| `0x8024FFFF` | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. |
## Redirector errors
The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors.
| Error code | Message | Description |
|----------- |------------------------------|------------------------------------------------------------------------------------------|
| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document could not be loaded into the DOM class. |
| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
| `0x80245001` | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document couldn't be loaded into the DOM class. |
| `0x80245002` | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. |
| `0x80245003` | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. |
| `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. |
## Protocol Talker errors
The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method.
@ -98,271 +95,271 @@ The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. Th
| Error code | Message | Description |
|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
| `0x80244000` | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. |
| `0x80244001` | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. |
| `0x80244002` | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. |
| `0x80244003` | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. |
| `0x80244004` | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. |
| `0x80244005` | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. |
| `0x80244006` | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. |
| `0x80244007` | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. |
| `0x80244008` | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. |
| `0x80244009` | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. |
| `x8024400A` | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. |
## Other Protocol Talker errors
The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`.
| Error code | Message | Description |
|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. |
| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name could not be determined. |
| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server could not process the request due to invalid syntax. |
| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). |
| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. |
| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. |
| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. |
| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. |
| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. |
| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. |
| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. |
| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. |
| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest could not be extracted from an external cab file. |
| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file could not be decompressed. |
| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. |
| Error code | Message | Description |
|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| `0x8024400B` | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. |
| `0x8024400C` | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. |
| `0x8024400D` | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. |
|`0x8024400E` | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message couldn't be processed due to a server error; resend later. |
| `0x8024400F` | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. |
| `0x80244010` | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. |
| `0x80244011` | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. |
| `0x80244012` | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. |
| `0x80244013` | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name couldn't be determined. |
| `0x80244015` | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. |
| `0x80244016` | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server couldn't process the request due to invalid syntax. |
| `0x80244017` | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. |
| `0x80244018` | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. |
| `0x80244019` | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server can't find the requested URI (Uniform Resource Identifier). |
| `0x8024401A` | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method isn't allowed. |
| `0x8024401B` | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. |
| `0x8024401C` | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. |
| `0x8024401D` | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request wasn't completed due to a conflict with the current state of the resource. |
| `0x8024401E` | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. |
| `0x8024401F` | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
| `0x80244020` | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server doesn't support the functionality required to fulfill the request. |
|`0x80244021` | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. |
| `0x80244022` | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. |
| `0x80244023` | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. |
| `0x80244024` | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server doesn't support the HTTP protocol version used for the request. |
| `0x80244025` | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. |
| `0x80244026` | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent doesn't support registration with a non-WSUS server. |
| `0x80244027` | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. |
| `0x80244028` | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. |
| `0x80244029` | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. |
| `0x8024402A` | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. |
| `0x8024402B` | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request couldn't be completed and the reason didn't correspond to any of the `WU_E_PT_HTTP_*` error codes. |
| `0x8024402C` | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name can't be resolved. |
| `0x8024402F` | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. |
| `0x80244030` | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization didn't complete. |
| `0x80244031` | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. |
| `0x80244032` | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. |
| `0x80244033` | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest couldn't be extracted from an external cab file. |
| `0x80244034` | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file couldn't be decompressed. |
| `0x80244035` | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. |
| `0x80244FFF` | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. |
| `0x8024502D` | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
| `0x8024502E` | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action didn't complete because the server is managed. |
## Download Manager errors
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation could not be completed because the requested file does not have a URL. |
| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation could not be completed because the file digest was not recognized. |
| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. |
| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation could not be completed because a download request is required from the download handler. |
| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation could not be completed because the network connection was unavailable. |
| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. |
| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
| `0x80246001` | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation couldn't be completed because the requested file doesn't have a URL. |
| `0x80246002` | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation couldn't be completed because the file digest wasn't recognized. |
| `0x80246003` | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation couldn't be completed because the file metadata requested an unrecognized hash algorithm. |
| `0x80246004` | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation couldn't be completed because a download request is required from the download handler. |
| `0x80246005` | `WU_E_DM_NONETWORK` | A download manager operation couldn't be completed because the network connection was unavailable. |
| `0x80246006` | `WU_E_DM_WRONGBITSVERSION` | A download manager operation couldn't be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. |
| `0x80246007` | `WU_E_DM_NOTDOWNLOADED` | The update hasn't been downloaded. |
| `0x80246008` | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). |
| `0x80246009` | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
| `0x8024600A` | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. |
| `0x8024600B` | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. |
| `0x80246FFF` | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. |
## Update Handler errors
| Error code | Message | Description |
|------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler could not be completed because no remote process is available. |
| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. |
| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. |
| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. |
| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). |
| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. |
| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. |
| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. |
| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. |
| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. |
| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. |
| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. |
| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
| `0x80242000` | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler couldn't be completed because no remote process is available. |
| `0x80242001`| `WU_E_UH_LOCALONLY` | A request for a remote update handler couldn't be completed because the handler is local only. |
| `0x80242002` | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler couldn't be completed because the handler couldn't be recognized. |
| `0x80242003` | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler couldn't be created because one already exists. |
| `0x80242004` | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update couldn't be completed because the update doesn't support install (uninstall). |
|`0x80242005` | `WU_E_UH_WRONGHANDLER` | An operation didn't complete because the wrong handler was specified. |
| `0x80242006` | `WU_E_UH_INVALIDMETADATA` | A handler operation couldn't be completed because the update contains invalid metadata. |
| `0x80242007` | `WU_E_UH_INSTALLERHUNG` | An operation couldn't be completed because the installer exceeded the time limit. |
| `0x80242008` | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. |
| `0x80242009` | `WU_E_UH_BADHANDLERXML` | An operation couldn't be completed because the handler-specific metadata is invalid. |
| `0x8024200A` | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update couldn't be completed because the update requires user input. |
| `0x8024200B` | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. |
| `0x8024200C` | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. |
| `0x8024200D` | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler didn't install the update because it needs to be downloaded again. |
| `0x8024200E` | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. |
| `0x8024200F` | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. |
| `0x80242010` | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. |
| `0x80242011` | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. |
| `0x80242012` | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. |
| `0x80242013` | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. |
| `0x80242014` | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. |
| `0x80242015` | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update couldn't be determined. |
| `0x80242016` | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. |
| `0x80242017` | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. |
| `0x80242FFF` | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. |
## Data Store errors
| Error code | Message | Description |
|------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. |
| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. |
| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. |
| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. |
| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. |
| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. |
| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. |
| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. |
| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. |
| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. |
| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. |
| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. |
| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. |
| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. |
| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. |
| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. |
| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. |
| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. |
| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. |
| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. |
| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. |
| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
| `0x80248000` | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. |
| `0x80248001` | `WU_E_DS_INUSE` | An operation failed because the data store was in use. |
| `0x80248002` | `WU_E_DS_INVALID` | The current and expected states of the data store don't match. |
| `0x80248003` | `WU_E_DS_TABLEMISSING` | The data store is missing a table. |
| `0x80248004` | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. |
| `0x80248005` | `WU_E_DS_INVALIDTABLENAME` | A table couldn't be opened because the table isn't in the data store. |
| `0x80248006` | `WU_E_DS_BADVERSION` | The current and expected versions of the data store don't match. |
| `0x80248007` | `WU_E_DS_NODATA` | The information requested isn't in the data store. |
| `0x80248008` | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. |
| `0x80248009` | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
| `0x8024800A` | `WU_E_DS_UNKNOWNHANDLER` | The update wasn't processed because its update handler couldn't be recognized. |
| `0x8024800B` | `WU_E_DS_CANTDELETE` | The update wasn't deleted because it's still referenced by one or more services. |
| `0x8024800C` | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section couldn't be locked within the allotted time. |
| `0x8024800D` | `WU_E_DS_NOCATEGORIES` | The category wasn't added because it contains no parent categories and isn't a top-level category itself. |
| `0x8024800E` | `WU_E_DS_ROWEXISTS` | The row wasn't added because an existing row has the same primary key. |
| `0x8024800F` | `WU_E_DS_STOREFILELOCKED` | The data store couldn't be initialized because it was locked by another process. |
| `0x80248010` | `WU_E_DS_CANNOTREGISTER` | The data store isn't allowed to be registered with COM in the current process. |
| `0x80248011` | `WU_E_DS_UNABLETOSTART` | Couldn't create a data store object in another process. |
| `0x80248013` | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. |
| `0x80248014` | `WU_E_DS_UNKNOWNSERVICE` | An operation didn't complete because the service isn't in the data store. |
| `0x80248015` | `WU_E_DS_SERVICEEXPIRED` | An operation didn't complete because the registration of the service has expired. |
| `0x80248016` | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it's a mandatory update or because it was deployed with a deadline. |
| `0x80248017` | `WU_E_DS_TABLESESSIONMISMATCH` | A table wasn't closed because it isn't associated with the session. |
| `0x80248018` | `WU_E_DS_SESSIONLOCKMISMATCH` | A table wasn't closed because it isn't associated with the session. |
| `0x80248019` | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it's a built-in service and/or Automatic Updates can't fall back to another service. |
| `0x8024801A` | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation isn't allowed. |
| `0x8024801B` | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document don't match. |
| `0x8024801C` | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. |
| `0x8024801D` | `WU_E_DS_IMPERSONATED` | A data store operation didn't complete because it was requested with an impersonated identity. |
| `0x80248FFF` | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. |
## Driver Util errors
The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped.
The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped.
| Error code | Message | Description |
|------------|-------------------------------|------------------------------------------------------------------------------------------------|
| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. |
| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. |
| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. |
| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
| `0x8024C001` | `WU_E_DRV_PRUNED` | A driver was skipped. |
| `0x8024C002` | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver couldn't be found. It may not conform with required specifications. |
| `0x8024C003` | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver doesn't match the expected type. |
| `0x8024C004` | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. |
| `0x8024C005` | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. |
| `0x8024C006` | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. |
| `0x8024C007` | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. |
| `0x8024CFFF` | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. |
## Windows Update error codes
| Error code | Message | Description |
|------------|-----------------------------------|--------------------------------------------------------------|
| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found.
| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized.
| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found.
| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.
| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed.
| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled.
| 0x8024000C | `WU_E_NOOP` | No operation was required.
| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data.
| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates.
| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time.
| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set.
| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating.
| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down.
| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable.
| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user.
| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out.
| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates.
| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server.
| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system.
| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server.
| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source.
| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source.
| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed.
| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set.
| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format.
| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded.
| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed.
| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation.
| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported.
| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation.
| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running.
| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`.
| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
| 0x80070422 | | Windows Update service stopped working or is not running.
| `0x80240001` | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service.
| `0x80240002` | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded.
| `0x80240003` | `WU_E_UNKNOWN_ID` | An ID can't be found.
| `0x80240004` | `WU_E_NOT_INITIALIZED` | The object couldn't be initialized.
| `0x80240005` | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range.
| `0x80240006` | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1).
| `0x80240007` | `WU_E_INVALIDINDEX` | The index to a collection was invalid.
| `0x80240008` | `WU_E_ITEMNOTFOUND` | The key for the item queried couldn't be found.
| `0x80240009` | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation can't be performed twice simultaneously.
| `0x8024000A` | `WU_E_COULDNOTCANCEL` | Cancellation of the operation wasn't allowed.
| `0x8024000B` | `WU_E_CALL_CANCELLED` | Operation was canceled.
| `0x8024000C` | `WU_E_NOOP` | No operation was required.
| `0x8024000D` | `WU_E_XML_MISSINGDATA` | Windows Update Agent couldn't find required information in the update's XML data.
| `0x8024000E` | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data.
| `0x8024000F` | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata.
| `0x80240010` | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated.
| `0x80240011` | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected.
| `0x80240012` | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read.
| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list.
| `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
| `0x80240017` | `WU_E_NOT_APPLICABLE` | Operation wasn't performed because there are no applicable updates.
| `0x80240018` | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing.
| `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time.
| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set.
| `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation couldn't be performed because the Windows Update Agent is self-updating.
| `0x8024001D` | `WU_E_INVALID_UPDATE` | An update contains invalid metadata.
| `0x8024001E` | `WU_E_SERVICE_STOP` | Operation didn't complete because the service or system was being shut down.
| `0x8024001F` | `WU_E_NO_CONNECTION` | Operation didn't complete because the network connection was unavailable.
| `0x80240020` | `WU_E_NO_INTERACTIVE_USER` | Operation didn't complete because there's no logged-on interactive user.
| `0x80240021` | `WU_E_TIME_OUT` | Operation didn't complete because it timed out.
| `0x80240022` | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates.
| `0x80240023` | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined.
| `0x80240024` | `WU_E_NO_UPDATE` | There are no updates.
| `0x80240025` | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update.
| `0x80240026` | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid.
| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length.
| `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED` | The update couldn't be uninstalled because the request didn't originate from a WSUS server.
| `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there's an unlicensed application on the system.
| `0x8024002A` | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing.
| `0x8024002B` | `WU_E_LEGACYSERVER` | An operation didn't complete because it requires a newer version of server.
| `0x8024002C` | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update couldn't be installed because it required the source.
| `0x8024002D` | `WU_E_SOURCE_ABSENT` | A full-file update couldn't be installed because it required the source.
| `0x8024002E` | `WU_E_WU_DISABLED` | Access to an unmanaged server isn't allowed.
| `0x8024002F` | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation didn't complete because the DisableWindowsUpdateAccess policy was set.
| `0x80240030` | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid.
| `0x80240031` | `WU_E_INVALID_FILE` | The file is in the wrong format.
| `0x80240032` | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid.
| `0x80240033` | `WU_E_EULA_UNAVAILABLE` | License terms couldn't be downloaded.
| `0x80240034` | `WU_E_DOWNLOAD_FAILED` | Update failed to download.
| `0x80240035` | `WU_E_UPDATE_NOT_PROCESSED` | The update wasn't processed.
| `0x80240036` | `WU_E_INVALID_OPERATION` | The object's current state didn't allow the operation.
| `0x80240037` | `WU_E_NOT_SUPPORTED` | The functionality for the operation isn't supported.
| `0x80240038` | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type.
| `0x80240039` | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times.
| `0x80240040` | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method doesn't run on Server Core installation.
| `0x80240041` | `WU_E_SYSPREP_IN_PROGRESS` | Service isn't available while sysprep is running.
| `0x80240042` | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`.
| `0x80240043` | `WU_E_NO_UI_SUPPORT` | There's no support for `WUA UI`.
| `0x80240FFF` | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code.
| `0x80070422` | | Windows Update service stopped working or isn't running.
## Windows Update success codes
| Error code | Message | Description |
|------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. |
| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
| `0x00240001` | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. |
| `0x00240002` | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. |
| `0x00240003` | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. |
| `0x00240004` | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. |
| `0x00240005` | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. |
| `0x00240006` | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. |
| `0x00240007` | `WU_S_ALREADY_UNINSTALLED` | The update to be removed isn't installed on the system. |
| `0x00240008` | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. |
## Windows Installer minor errors
The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.
The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer.
| Error code | Message | Description |
|------------|------------------------------|---------------------------------------------------------------------------------------------|
| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. |
| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. |
| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
| `0x80241001` | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. |
| `0x80241002` | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer isn't configured. |
| `0x80241003` | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. |
| `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user. |
| `0x80241FFF` | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. |
## Windows Update Agent update and setup errors
| Error code | Message | Description |
|------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. |
| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. |
| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. |
| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. |
| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. |
| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. |
| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. |
| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. |
| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. |
| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. |
| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. |
| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. |
| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. |
| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. |
| `0x8024D001` | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent couldn't be updated because an INF file contains invalid information. |
| `0x8024D002` | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent couldn't be updated because the `wuident.cab` file contains invalid information. |
| `0x8024D003` | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent couldn't be updated because of an internal error that caused setup initialization to be performed twice. |
| `0x8024D004` | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent couldn't be updated because setup initialization never completed successfully. |
| `0x8024D005` | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent couldn't be updated because the versions specified in the INF don't match the actual source file versions. |
| `0x8024D006` | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent couldn't be updated because a WUA file on the target system is newer than the corresponding source file. |
| `0x8024D007` | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent couldn't be updated because `regsvr32.exe` returned an error. |
| `0x8024D009` | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. |
| `0x8024D00A` | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent couldn't be updated because the current system configuration isn't supported. |
| `0x8024D00B` | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent couldn't be updated because the system is configured to block the update. |
| `0x8024D00C` | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent couldn't be updated because a restart of the system is required. |
| `0x8024D00D` | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. |
| `0x8024D00E` | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. |
| `0x8024D00F` | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent couldn't be updated because the setup handler failed during execution. |
| `0x8024D010` | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent couldn't be updated because the registry contains invalid information. |
| `0x8024D013` | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent couldn't be updated because the server doesn't contain update information for this version. |
| `0x8024DFFF` | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent couldn't be updated because of an error not covered by another `WU_E_SETUP_*` error code. |

8
windows/deployment/update/windows-update-logs.md
View File

@ -2,20 +2,22 @@
title: Windows Update log files
description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: troubleshooting
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Windows Update log files
>Applies to: Windows 10
The following table describes the log files created by Windows Update.

13
windows/deployment/update/windows-update-overview.md
View File

@ -2,12 +2,15 @@
title: Get started with Windows Update
description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 09/18/2018
ms.topic: article
ms.technology: itpro-updates
---
# Get started with Windows Update
@ -31,7 +34,7 @@ To understand the changes to the Windows Update architecture that UUP introduces
![Windows Update terminology.](images/update-terminology.png)
- **Update UI** The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
Update types-
@ -51,5 +54,5 @@ To understand the changes to the Windows Update architecture that UUP introduces
Additional components include the following-
- **CompDB** A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
- **Action List** The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.
- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.

11
windows/deployment/update/windows-update-security.md
View File

@ -1,13 +1,16 @@
---
title: Windows Update security
manager: aaroncz
description: Overview of the security for Windows Update.
description: Overview of the security for Windows Update including security for the metadata exchange and content download.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 10/25/2022
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 08/28/2023
---
# Windows Update security

19
windows/deployment/update/wufb-compliancedeadlines.md
View File

@ -1,22 +1,21 @@
---
title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
title: Enforce compliance deadlines with policies
titleSuffix: Windows Update for Business
description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/12/2023
---
# Enforcing compliance deadlines for updates
**Applies to**
- Windows 10
- Windows 11
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
@ -26,13 +25,13 @@ With a current version, it's best to use the new policy introduced in June 2019
- Update/ConfigureDeadlineGracePeriod
- Update/ConfigureDeadlineNoAutoReboot
### Policy setting overview
## Policy setting overview
|Policy|Description |
|-|-|
| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
### Suggested configurations
## Suggested configurations
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|

11
windows/deployment/update/wufb-reports-admin-center.md
View File

@ -1,19 +1,24 @@
---
title: Microsoft 365 admin center software updates page
titleSuffix: Windows Update for Business reports
manager: aaroncz
description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows Update for Business reports</a>
-<a href=https://learn.microsoft.com/microsoft-365/admin/admin-overview/admin-center-overview >Microsoft 365 admin center</a>
ms.date: 04/26/2023
ms.technology: itpro-updates
---
# Microsoft 365 admin center software updates page
<!--37063317, 30141258, 37063041, ID2616577, ID2582518 -->
***(Applies to: Windows 11 & Windows 10 using [Windows Update for Business reports](wufb-reports-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices.

15
windows/deployment/update/wufb-reports-configuration-intune.md
View File

@ -1,20 +1,21 @@
---
title: Configuring Microsoft Intune devices for Windows Update for Business reports
manager: aaroncz
description: Configuring devices that are enrolled in Microsoft Intune for Windows Update for Business reports
title: Configure devices using Microsoft Intune
titleSuffix: Windows Update for Business reports
description: How to configure devices to use Windows Update for Business reports from Microsoft Intune.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11 and Windows 10</a> devices managed by <a href=https://learn.microsoft.com/mem/intune/fundamentals/what-is-intune target=_blank>Microsoft Intune</a>
ms.date: 03/08/2023
ms.technology: itpro-updates
---
# Configuring Microsoft Intune devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***
This article is targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Windows Update for Business reports, within Microsoft Intune itself. Configuring devices for Windows Update for Business reports in Microsoft Intune breaks down to the following steps:

15
windows/deployment/update/wufb-reports-configuration-manual.md
View File

@ -1,19 +1,22 @@
---
title: Manually configuring devices for Windows Update for Business reports
manager: aaroncz
description: How to manually configure devices for Windows Update for Business reports
title: Manually configure devices to send data
titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.topic: article
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/15/2022
ms.technology: itpro-updates
---
# Manually configuring devices for Windows Update for Business reports
<!--37063317, 30141258, 37063041-->
***(Applies to: Windows 11 & Windows 10)***
There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.

Some files were not shown because too many files have changed in this diff Show More