deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into wn-21H1

Browse Source
This commit is contained in:
greg-lindsay
2021-05-13 13:15:08 -07:00
parent 99ab71d0c5 6d0ce964cf
commit 124edc4f16
6 changed files with 159 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/application-management/manage-windows-mixed-reality.md
View File

@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). 1. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
> [!NOTE] > [!NOTE]
> You must download the FOD .cab file that matches your operating system version. > You must download the FOD .cab file that matches your operating system version.

62
windows/client-management/mdm/policy-csp-experience.md
View File

@ -76,6 +76,9 @@ manager: dansimp
<dd> <dd>
<a href="#experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a> <a href="#experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
</dd> </dd>
<dd>
<a href="#experience-configurechaticonvisibilityonthetaskbar">Experience/ConfigureChatIcon</a>
</dd>
<dd> <dd>
<a href="#experience-disablecloudoptimizedcontent">Experience/DisableCloudOptimizedContent</a> <a href="#experience-disablecloudoptimizedcontent">Experience/DisableCloudOptimizedContent</a>
</dd> </dd>
@ -1219,6 +1222,65 @@ The following list shows the supported values:
<!--/SupportedValues--> <!--/SupportedValues-->
<!--/Policy--> <!--/Policy-->
<!--Policy-->
<a href="" id="experience-configurechaticonvisibilityonthetaskbar"></a>**Experience/ConfigureChatIcon**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
Specifies whether to allow "Chat" on the Taskbar.
<!--/Description-->
<!--SupportedValues-->
The values for this policy are 0, 1, 2 and 3. This policy defaults to 0.
0 - Default: The Chat icon will be displayed or hidden on the taskbar based on account type. Users can show or hide it in Settings.
1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.
2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="experience-disablecloudoptimizedcontent"></a>**Experience/DisableCloudOptimizedContent** <a href="" id="experience-disablecloudoptimizedcontent"></a>**Experience/DisableCloudOptimizedContent**

3
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -31,9 +31,6 @@ The requirements are separated into different categories:
## Required policies ## Required policies
> [!NOTE]
> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
- **Policy** corresponds to the location and name of the policy. - **Policy** corresponds to the location and name of the policy.

7
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -18,9 +18,12 @@ ms.topic: article
# Configuring devices through the Update Compliance Configuration Script # Configuring devices through the Update Compliance Configuration Script
> [!NOTE] > [!NOTE]
> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. > A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured.
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more.
> [!NOTE]
> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.

33
windows/deployment/update/waas-delivery-optimization.md
View File

@ -132,39 +132,44 @@ For more details, check out the [Adopting Windows as a Service at Microsoft](htt
## Frequently asked questions ## Frequently asked questions
**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. #### Does Delivery Optimization work with WSUS?
Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
**Which ports does Delivery Optimization use?**: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). #### Which ports does Delivery Optimization use?
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device, but you might need to set this port to accept inbound traffic through your firewall yourself. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. If you set up Delivery Optimization to create peer groups that include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets), it will use Teredo. For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
**What are the requirements if I use a proxy?**: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update). #### What are the requirements if I use a proxy?
For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](./delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update).
**What hostnames should I allow through my firewall to support Delivery Optimization?**: #### What hostnames should I allow through my firewall to support Delivery Optimization?
For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**. For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
For Delivery Optimization metadata: **For Delivery Optimization metadata**:
- *.dl.delivery.mp.microsoft.com - *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com - *.emdl.ws.microsoft.com
For the payloads (optional): **For the payloads (optional)**:
- *.download.windowsupdate.com - *.download.windowsupdate.com
- *.windowsupdate.com - *.windowsupdate.com
**Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. #### Does Delivery Optimization use multicast?
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). #### How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
**How does Delivery Optimization handle VPNs?** #### How does Delivery Optimization handle VPNs?
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN.
@ -186,6 +191,14 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
#### How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
> [!NOTE]
> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
## Troubleshooting ## Troubleshooting
This section summarizes common problems and some solutions to try. This section summarizes common problems and some solutions to try.

52
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: denisebmsft author: denisebmsft
ms.author: deniseb ms.author: deniseb
ms.date: 05/06/2021 ms.date: 05/12/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.custom: asr ms.custom: asr
@ -45,7 +45,7 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their favorites in the Application Guard Edge session? ### Why don't employees see their favorites in the Application Guard Edge session?
Depending on your organizations settings, it might be that Favorites Sync is off. To managed the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) Depending on your organizations settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard)
### Why arent employees able to see their extensions in the Application Guard Edge session? ### Why arent employees able to see their extensions in the Application Guard Edge session?
@ -57,7 +57,8 @@ Application Guard requires proxies to have a symbolic name, not just an IP addre
### Which Input Method Editors (IME) in 19H1 are not supported? ### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard. The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
- Vietnam Telex keyboard - Vietnam Telex keyboard
- Vietnam number key-based keyboard - Vietnam number key-based keyboard
- Hindi phonetic keyboard - Hindi phonetic keyboard
@ -119,35 +120,47 @@ If hyperthreading is disabled (because of an update applied through a KB article
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file? ### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
First rule (DHCP Server): #### First rule (DHCP Server)
1. Program path: `%SystemRoot%\System32\svchost.exe` 1. Program path: `%SystemRoot%\System32\svchost.exe`
2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` 2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
3. Protocol UDP 3. Protocol UDP
4. Port 67 4. Port 67
Second rule (DHCP Client) #### Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68. This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right-click on inbound rules, and then create a new rule. 1. Right-click on inbound rules, and then create a new rule.
2. Choose **custom rule**. 2. Choose **custom rule**.
3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. 3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
4. Specify the following settings: 4. Specify the following settings:
- Protocol Type: UDP - Protocol Type: UDP
- Specific ports: 67 - Specific ports: 67
- Remote port: any - Remote port: any
6. Specify any IP addresses.
7. Allow the connection. 5. Specify any IP addresses.
8. Specify to use all profiles.
9. The new rule should show up in the user interface. Right click on the **rule** > **properties**. 6. Allow the connection.
10. In the **Programs and services** tab, under the **Services** section, select **settings**.
11. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. 7. Specify to use all profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, under the **Services** section, select **settings**.
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled? ### Why can I not launch Application Guard when Exploit Guard is enabled?
@ -172,9 +185,10 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
### Why doesn't the container fully load when device control policies are enabled? ### Why doesn't the container fully load when device control policies are enabled?
Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
Policy: Allow installation of devices that match any of the following device IDs:
Policy: Allow installation of devices that match any of these device IDs
- `SCSI\DiskMsft____Virtual_Disk____` - `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` - `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF` - `VMS_VSF`
@ -191,8 +205,6 @@ Policy: Allow installation of devices that match any of these device IDs
Policy: Allow installation of devices using drivers that match these device setup classes Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - `{71a27cdd-812a-11d0-bec7-08002be2092f}`
## See also ## See also
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) [Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)