deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #2880 from MicrosoftDocs/master

Browse Source 
Publish 3:30 PM 05/26/2020
This commit is contained in:
Gary Moore 2020-05-26 16:37:27 -07:00 committed by GitHub
commit 1634028234
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 334 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
windows/deployment/update/define-update-strategy.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Define update strategy
ms.reviewer:
manager: laurawi
description:
keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
# Define update strategy
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
### Annual
Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
![annual calendar](images/annual-calendar.png)
This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This cadence might be most suitable for you if any of these conditions apply:
- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
### Rapid
This calendar shows an example schedule that installs each feature update as it is released, twice per year:
![rapid calendar](images/rapid-calendar.png)
This cadence might be best for you if these conditions apply:
- You have a strong appetite for change.
- You want to continuously update supporting infrastructure and unlock new scenarios.
- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
- You have experience with feature updates for Windows 10.

BIN
windows/deployment/update/images/DO-absolute-bandwidth.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/deployment/update/images/annual-calendar.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/deployment/update/images/rapid-calendar.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

115
windows/deployment/update/plan-define-readiness.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Define readiness criteria
ms.reviewer:
manager: laurawi
description: Identify important roles and figure out how to classify apps
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
# Define readiness criteria
## Figure out roles and personnel
Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities:
|Compatibility workstream |Deployment |Capability and modernization |
|---------|---------|---------|
|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes |
|Application assessment | Validating infrastructure against requirements | Determining configuration changes |
|Device assessment | Creating infrastructure update plan | Create capability proposal |
It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment.
This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed:
|Role |Responsibilities |Skills |Active phases |
|---------|---------|---------|---------|
|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment |
|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment |
|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare |
|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment |
|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment |
|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment |
|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment |
## Set criteria for rating apps
Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but arent critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
Here's a suggested classification scheme:
|Classification |Definition|
|---------|---------|
|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. |
|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. |
|Not important | There is no impact on the business if these apps are not available for a while. |
Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
Here's an example priority rating system; of course the specifics could vary for your organization:
|Priority |Definition |
|---------|---------|
|1 | Any issues or risks identified must be investigated and resolved as soon as possible. |
|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. |
|3 | Start investigating risks and issues within 10 business days. You dont have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. |
|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. |
Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle.
Here's an example:
|Severity |Effect |
|---------|---------|
|1 | Work stoppage or loss of revenue |
|2 | Productivity loss for a business unit |
|3 | Productivity loss for individual users |
|4 | Minimal impact on users |
## Example: a large financial corporation
Using the suggested scheme, a financial corporation might classify their apps like this:
|App |Classification |
|---------|---------|
|Credit processing app | Critical |
|Frontline customer service app | Critical |
|PDF viewer | Important |
|Image processing app | Not important |
Further, they might combine this classification with severity and priority rankings like this:
|Classification |Severity |Priority |Response |
|---------|---------|---------|---------|
|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. |
|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. |
|Not important | 4 | 4 | Continue deployment for all devices. |

76
windows/deployment/update/plan-determine-app-readiness.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Determine application readiness
ms.reviewer:
manager: laurawi
description: How to test your apps to know which need attention prior to deploying an update
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
---
# Determine application readiness
Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps]<link to plan-define-readiness> with respect to their criticality in your organization.
## Validation methods
You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment.
|Validation method |Description |
|---------|---------|
|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application theyre validating. |
|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and arent handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:
|Validation method |Critical apps |Important apps |Not important apps |
|---------|---------|---------|---------|
|Full regression | x | | |
|Smoke testing | | x | |
|Automated testing | x | x | x |
|Test in pilot | x | x | x |
## Identify users
Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include:
- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in?
- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work?
- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios?
You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users.
## Identify and set up devices for validation
In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment.
There is more than one way to choose devices for app validation:
- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles.
- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems.
- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices.
## Desktop Analytics
Desktop Analytics can make all of the tasks discussed in this article significantly easier:
- Creating and maintaining an application and device inventory
- Assign owners to applications for testing
- Automatically apply your app classifications (critical, important, not important)
- Automatically identify application compatibility risks and provide recommendations for reducing those risks
For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)

2
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
[//]: # (Configuration Manager Boundary Group option; GroupID Source policy)
[//]: # (Configuration Manager boundary group option; GroupID Source policy)
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)

34
windows/deployment/update/waas-delivery-optimization-setup.md
View File

@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se
>[!NOTE]
>These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
> [!NOTE]
> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings).
Quick-reference table:
| Use case | Policy | Recommended value | Reason |
@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
> [!NOTE]
> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
### Large number of mobile devices
@ -139,7 +145,9 @@ Using the `-Verbose` option returns additional information:
- Bytes from CDN (the number of bytes received over HTTP)
- Average number of peer connections per download 
Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status.
Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month.
@ -166,6 +174,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th
#### Work with Delivery Optimization logs
**Starting in Windows 10, version 2004:**
`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]`
With no options, this cmdlet returns these data:
- total number of files
- number of foreground files
- minimum file size for it to be cached
- number of eligible files
- number of files with peers
- number of peering files [how different from the above?]
- overall efficiency
- efficiency in the peered files
Using the `-ListConnections` option returns these detauls about peers:
- destination IP address
- peer type
- status code
- bytes sent
- bytes received
- file ID
**Starting in Windows 10, version 1803:**
`Get-DeliveryOptimizationLog [-Path <etl file path, supports wildcards>] [-Flush]`

41
windows/deployment/update/waas-delivery-optimization.md
View File

@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
## New in Windows 10, version 2004
- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png)
- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache).
## Requirements
The following table lists the minimum Windows 10 version that supports Delivery Optimization:
@ -54,8 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Defender definition updates | 1511 |
| Office Click-to-Run updates | 1709 |
| Win32 apps for Intune | 1709 |
| Office installations and updates | 2004 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
<!-- ### Network requirements
{can you share with me what the network requirements are?}-->
@ -124,6 +141,30 @@ For the payloads (optional):
**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
**How does Delivery Optimization handle VPNs?**
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy.
If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
Delivery Optimization service endpoint:
- `https://*.prod.do.dsp.mp.microsoft.com`
Delivery Optimization metadata:
- `http://emdl.ws.microsoft.com`
- `http://*.dl.delivery.mp.microsoft.com`
Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
- `http://*.windowsupdate.com`
- `https://*.delivery.mp.microsoft.com`
- `https://*.update.microsoft.com`
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
## Troubleshooting

9
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -46,6 +46,15 @@ To have your company listed as a partner in the in-product partner page, you wil
3. Provide a 15-word product description.
4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`.
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`.
2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature.
For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.