deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6881 from MicrosoftDocs/main

Browse Source 
Publish 08/02/2022 3:30 PM PT
This commit is contained in:
Angela Fleischmann 2022-08-02 16:40:10 -06:00 committed by GitHub
commit 11d69a30b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 124 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -27,6 +27,11 @@ The table below shows the applicability of Windows:
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!NOTE]
> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP) and the APIs that support WIP. Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282).
>
> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities.
> [!NOTE]
> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).

49
windows/client-management/mdm/firewall-csp.md
View File

@ -112,6 +112,13 @@ Firewall
----------------FriendlyName
----------------Status
----------------Name
----------------RemoteAddressDynamicKeywords
--------DynamicKeywords
----------------Addresses
-------------------------Id
---------------------------------Keyword
---------------------------------Addresses
---------------------------------AutoResolve
```
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
@ -352,6 +359,7 @@ Comma-separated list of local addresses covered by the rule. The default value i
- "*" indicates any local address. If present, the local address must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv4 address.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
@ -372,7 +380,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru
- &quot;Internet&quot;
- &quot;Ply2Renders&quot;
- &quot;LocalSubnet&quot; indicates any local address on the local subnet. This token isn't case-sensitive.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv4 address.
- A valid IPv6 address.
- An IPv4 address range in the format of &quot;start address - end address&quot; with no spaces included.
- An IPv6 address range in the format of &quot;start address - end address&quot; with no spaces included.
@ -445,6 +454,44 @@ Value type is string. Supported operation is Get.
Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="remoteaddressdynamickeywords"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressDynamicKeywords**
Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="dynamickeywords"></a>**MdmStore/DynamicKeywords**
Interior node.
Supported operation is Get.
<a href="" id="addresses"></a>**MdmStore/DynamicKeywords/Addresses**
Interior node.
Supported operation is Get.
<a href="" id="id"></a>**MdmStore/DynamicKeywords/Addresses/Id**
A unique GUID string identifier for this dynamic keyword address.
Value type is string. Supported operations are Add, Delete, and Get.
<a href="" id="keyword"></a>**MdmStore/DynamicKeywords/Addresses/Id/Keyword**
A String representing a keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain Name (wildcards accepted, for example "contoso.com" or "*.contoso.com").
Value type is string. Supported operations are Add, Delete, and Get.
<a href="" id="addresses"></a>**MdmStore/DynamicKeywords/Addresses/Id/Addresses**
Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true.
Valid tokens include:
- A subnet specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv4 address.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address-end address" with no spaces included.
- An IPv6 address range in the format of "start address-end address" with no spaces included.
Supported operations are Add, Delete, Replace, and Get.
<a href="" id="autoresolve"></a>**MdmStore/DynamicKeywords/Addresses/Id/AutoResolve**
Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
Value type is string. Supported operations are Add, Delete, and Get.
Value type is string. Supported operations are Add, Delete, and Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

7
windows/deployment/do/TOC.yml
View File

@ -8,14 +8,14 @@
- name: What's new
href: whats-new-do.md
- name: Configure Delivery Optimization
items:
- name: Configure Windows Clients
items:
- name: Windows Delivery Optimization settings
href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
- name: Windows Delivery Optimization Frequently Asked Questions
href: ../update/waas-delivery-optimization-faq.md
- name: Configure Microsoft Endpoint Manager
items:
- name: Delivery Optimization settings in Microsoft Intune
@ -40,3 +40,6 @@
href: delivery-optimization-workflow.md
- name: Using a proxy with Delivery Optimization
href: delivery-optimization-proxy.md
- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache
href: delivery-optimization-endpoints.md

37
windows/deployment/do/delivery-optimization-endpoints.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Delivery Optimization and Microsoft Connected Cache content endpoints
description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache.
ms.date: 07/26/2022
ms.prod: w10
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: naengler
---
# Delivery Optimization and Microsoft Connected Cache content type endpoints
_Applies to:_
- Windows 11
- Windows 10
> [!NOTE]
> All ports are outbound.
This article lists the endpoints that need to be allowed through the firewall to ensure that content from Delivery Optimization and Microsoft Connected cache is properly delivered. Use the table below to reference any particular content types supported by Delivery Optimization and Microsoft Connected Cache:
|Domain Name |Protocol/Port(s) | Content Type | Additional Information | Version |
|---------|---------|---------------|-------------------|-----------------|
| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com | HTTP / 80 | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Endpoint Configuration Manager Distribution Point |
| *.delivery.mp.microsoft.com | HTTP / 80 | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Endpoint Configuration Manager Distribution Point |
| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net | HTTP / 80 | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Endpoint Configuration Manager Distribution Point |
| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Endpoint Configuration Manager Distribution Point |
| *.statics.teams.cdn.office.net | HTTP / 80 </br> HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point |
| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point |
| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point |
| *.do.dsp.mp.microsoft.com | HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure |
| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671 </br> MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |

26
windows/deployment/do/delivery-optimization-proxy.md
View File

@ -12,27 +12,27 @@ ms.topic: article
# Using a proxy with Delivery Optimization
**Applies to**
**Applies to:**
- Windows 10
- Windows 11
- Windows 10
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings.
Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
> [!NOTE]
> We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used).
If a user is signed in, the system uses the Internet Explorer proxy.
If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors.
If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors.
You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply.
### Summary of settings behavior
@ -43,7 +43,7 @@ With an interactive user signed in:
|Named proxy set by using: |Delivery Optimization successfully uses proxy |
|---------|---------|
|Internet Explorer proxy, current user | Yes |
|Internet Explorer proxy, device-wide | Yes |
|Internet Explorer proxy, device-wide | Yes |
|netsh proxy | No |
|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, Internet Explorer proxy is used |
|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, Internet Explorer proxy is used |
@ -53,7 +53,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user):
|Named proxy set by using: |Delivery Optimization successfully uses proxy |
|---------|---------|
|Internet Explorer proxy, current user | No |
|Internet Explorer proxy, device-wide | Yes |
|Internet Explorer proxy, device-wide | Yes |
|netsh proxy | Yes |
|Both Internet Explorer proxy (current user) *and* netsh proxy | Yes, netsh proxy is used |
|Both Internet Explorer proxy (device-wide) *and* netsh proxy | Yes, netsh proxy is used |
@ -70,10 +70,10 @@ This policy is meant to ensure that proxy settings apply uniformly to the same c
Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download.
However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
## Related articles
## Related articles
- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
- [How to use GPP Registry to uncheck automatically detect settings? ](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)
- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
- [How to use GPP Registry to uncheck automatically detect settings?](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)

4
windows/deployment/do/index.yml
View File

@ -1,6 +1,6 @@
### YamlMime:Landing
title: Delivery Optimization for Windows client # < 60 chars
title: Delivery Optimization # < 60 chars
summary: Set up peer to peer downloads for Windows Updates and learn about Microsoft Connected Cache. # < 160 chars
metadata:
@ -97,4 +97,6 @@ landingContent:
url: delivery-optimization-workflow.md
- text: Using a proxy with Delivery Optimization
url: delivery-optimization-proxy.md
- text: Content endpoints for Delivery Optimization and Microsoft Connected Cache
url: delivery-optimization-endpoints.md

7
windows/deployment/do/waas-delivery-optimization-setup.md
View File

@ -27,10 +27,15 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows))
Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows).
**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
## Allow content endpoints
When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md).
## Recommended Delivery Optimization settings
Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).

4
windows/deployment/update/waas-delivery-optimization-faq.md
View File

@ -37,7 +37,7 @@ For Delivery Optimization to successfully use the proxy, you should set up the p
## What hostnames should I allow through my firewall to support Delivery Optimization?
**For communication between clients and the Delivery Optimization cloud service**:
**For communication between clients and the Delivery Optimization cloud service**:
- `*.do.dsp.mp.microsoft.com`
@ -55,6 +55,8 @@ For Delivery Optimization to successfully use the proxy, you should set up the p
- `win1910.ipv6.microsoft.com`
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
## Does Delivery Optimization use multicast?
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.

4
windows/security/breadcrumb/toc.yml
View File

@ -8,5 +8,5 @@ items:
topicHref: /windows/resources/
items:
- name: Security
tocHref: /windows/security/
topicHref: /windows/security/
tocHref: /windows-server/security/credentials-protection-and-management/
topicHref: /windows/security/

2
windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
View File

@ -67,6 +67,8 @@ The following video provides an overview of Windows Sandbox.
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
> [!NOTE]
> Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually.
## Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.