deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-mdm2

Browse Source
This commit is contained in:
Vinay Pamnani 2023-04-13 10:45:39 -04:00 committed by GitHub
commit 1b7932c38c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 186 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/client-management/mdm/defender-csp.md
View File

@ -18,6 +18,8 @@ ms.topic: reference
<!-- Defender-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> [ControlPolicyConflict (MDMWinsOverGP)](policy-csp-controlpolicyconflict.md) is not applicable to the Defender CSP. If using MDM, remove your current Defender group policy settings to avoid conflicts with your MDM settings.
<!-- Defender-Editable-End -->
<!-- Defender-Tree-Begin -->
@ -2479,7 +2481,7 @@ Information about the current status of the threat. The following list shows the
| 7 | Removed |
| 8 | Cleaned |
| 9 | Allowed |
| 10 | No Status ( Cleared) |
| 10 | No Status (Cleared) |
<!-- Device-Detections-{ThreatId}-CurrentStatus-Description-End -->
<!-- Device-Detections-{ThreatId}-CurrentStatus-Editable-Begin -->
@ -3674,7 +3676,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher
<!-- Device-RollbackEngine-Description-Begin -->
<!-- Description-Source-DDF -->
RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command.
<!-- Device-RollbackEngine-Description-End -->
<!-- Device-RollbackEngine-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -44,15 +44,14 @@ If set to 1 then any MDM policy that is set that has an equivalent GP policy wil
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel.
The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
> [!NOTE]
> This policy doesn't support the Delete command and doesnt support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy.
This ensures that:
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
- GP settings that correspond to MDM applied settings aren't conflicting
- The current Policy Manager policies are refreshed from what MDM has set
@ -65,8 +64,7 @@ The [Policy DDF](configuration-service-provider-ddf.md) contains the following t
- \<MSFT:GPRegistryMappedName\>
- \<MSFT:GPDBMappedName\>
For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy
](./policies-in-policy-csp-supported-by-group-policy.md).
For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md).
The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**.
<!-- MDMWinsOverGP-Editable-End -->

2
windows/deployment/TOC.yml
View File

@ -212,6 +212,8 @@
items:
- name: Windows Update for Business reports workbook
href: update/wufb-reports-workbook.md
- name: Delivery Optimization data in reports
href: update/wufb-reports-do.md
- name: Software updates in the Microsoft 365 admin center
href: update/wufb-reports-admin-center.md
- name: Use Windows Update for Business reports data

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -221,7 +221,7 @@ The features that are turned off by default from servicing updates will be enabl
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |

166
windows/deployment/update/wufb-reports-do.md Normal file
View File

@ -0,0 +1,166 @@
---
title: Delivery Optimization data in Windows Update for Business reports
manager: aaroncz
description: Provides information about Delivery Optimization data in Windows Update for Business reports
ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 04/12/2023
ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
<!--7715481-->
***(Applies to: Windows 11 & Windows 10)***
[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
Windows Update for Business reports provides Delivery Optimization information in the following places:
- The Windows Update for Business reports [workbook](wufb-reports-workbook.md)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md)
Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices.
## Delivery Optimization terms
Windows Update for Business reports uses the following Delivery Optimization terms:
- **Peer**: A device in the solution
- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes:
- LAN (1)
- Group (2)
- Internet (3)
- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes:
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is determined by the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is determined by the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'.
- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN).
- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded.
- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded.
- **ISP**: ISP is determined based on the ISP delivering the maximum bytes to the device.
## Calculations for Delivery Optimization
There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it:
**Efficiency (%) Calculations**:
- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) /
(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
- TotalBytes = BytesFromCDN + BytesFromEnterpriseCache + BytesFromPeers + BytesFromGroupPeers
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- BytesFromCDN = BytesFromCDN
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- BytesFromPeers = BytesFromLAN
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
- BytesFromGroupPeers = BytesFromGroupPeers
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
- BytesFromCache = BytesFromCache
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
**Volume Calculations**:
- Volume by P2P = BytesFromPeers + BytesFromGroupPeers
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by MCC = BytesFromCache
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by CDN = BytesFrom CDN
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
## Mapping GroupID
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of decoded to encoded GroupIDs using the following PowerShell example:
```powershell
$text = "<myEncodedGroupID>" ;
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
```
In addition, you can see both the encoded and decoded GroupIDs in the Delivery Optimization logs.
```powershell
Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log
```
The below two lines are together in verbose logs:
```text
2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **<myEncodedGroupId>**
2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **<myDecodedGroupId>**
```
## Sample queries
You can use the data in [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
and [UCDOStatus](wufb-reports-schema-ucdostatus.md) to create your own queries. Create your custom queries using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), but note that Windows Update for Business reports uses Azure Monitor, so some operators aren't supported. The KQL documentation specifies which operators aren't supported by Azure Monitor or if they have different functionality. For more information about KQL in Azure Monitor, see [Log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview). The following queries are examples of how you can use the data:
### Example UCDOAggregatedStatus table query
The following query is used to display the total bandwidth savings % value:
```kusto
UCDOAggregatedStatus| where TimeGenerated == _SnapshotTime
| extend LocalSourceBytes = BytesFromCache + BytesFromGroupPeers + BytesFromPeers
| summarize LocalSources_BWSAV = round((sum(0.0 + LocalSourceBytes)/ sum(LocalSourceBytes+BytesFromCDN)) * 100.0 ,2)
| extend Title = "BW SAV%" , SubTitle = "Local Sources"
```
### Example UCDOStatus table query
The following query is used to display the Top 10 GroupIDs:
```kusto
UCDOStatus | where TimeGenerated == _SnapshotTime
| summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) ,
DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc
| extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache)
| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0
| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 ,
VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers
| extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN
| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount
```
## Frequency Asked Questions
- **What time period does the Delivery Optimization data include?**
Data is generated/aggregated for the last 28 days for active devices.
- **Data is showing as 'Unknown', what does that mean?**
You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty.
- **How are the 'Top 10' groups identified?**
The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP).
- **The GroupIDs don't look familiar, why are they different?**
The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above.
- **How can I see data for device in the office vs. out of the office?**
Today, we don't have a distinction for data that was downloaded by location.
- **What does the data in UCDOStatus table represent?**
A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType).
- **What does the data in UCDOAggregatedStatus table represent?**
A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType).

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 11/15/2022
ms.date: 04/12/2023
ms.technology: itpro-updates
---
@ -173,7 +173,7 @@ The **Device status** group for driver updates contains the following items:
## <a name="bkmk_do"></a> Delivery Optimization
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. For more information, see [Delivery Optimization data in Windows Update for Business reports](/windows/deployment/update/waas-delivery-optimization).
At the top of the report, tiles display the following information:

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
View File

@ -53,9 +53,11 @@ However, if an update has already started for a particular deployment ring, Wind
#### Scheduled install
> [!NOTE]
> This feature isn't suitable for business critical workloads because Windows Autopatch cannot guarantee that devices will always update and restart in the specified time.<p>If you select the Schedule install cadence type, the devices in that ring wont be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).</p>
>If you select the Schedule install cadence type, the devices in that ring wont be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will prevent forced restarts and interruptions to critical business activities for end users, thereby minimizing disruptions. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. The expectation is that devices would only update and restart according to the time specified.
While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified.
If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option.
> [!NOTE]
> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type.

2
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -44,7 +44,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes.
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
### Default values

2
windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
View File

@ -75,6 +75,6 @@ There are several ways to get and use security baselines:
## See also
- [Microsoft Security Guidance Blog](/archive/blogs/secguide/)
- [Microsoft Security Baselines Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319)
- [Security Baseline Policy Analyzer](https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo)