diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 863e6b22b7..83cbd07323 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1353,7 +1353,7 @@ }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem", "redirect_document_id": false }, { @@ -14652,9 +14652,9 @@ "redirect_document_id": true }, { -"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", -"redirect_url": "https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903", -"redirect_document_id": true + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", + "redirect_url": "https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-events-and-fields-2005", + "redirect_document_id": true }, { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3dcabcaee0..cb44c5b311 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -18,7 +18,7 @@ ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) ## [HoloLens (1st Gen) release notes](hololens1-release-notes.md) -# Deploy HoloLens and mixed-reality apps in commercial environments +# Deploy HoloLens and mixed reality apps in commercial environments ## [Commercial features](hololens-commercial-features.md) ## [Deploy HoloLens in a commercial environment](hololens-requirements.md) ## [Determine what licenses you need](hololens-licenses-requirements.md) @@ -29,13 +29,13 @@ ## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# Navigating Windows Holographic -## [Start menu and mixed reality home](holographic-home.md) -## [Use your voice with HoloLens](hololens-cortana.md) +# Navigate the Windows Holographic environment +## [Use the Start menu and mixed reality home](holographic-home.md) +## [Use your voice to operate HoloLens](hololens-cortana.md) ## [Find, open, and save files](holographic-data.md) ## [Create mixed reality photos and videos](holographic-photos-and-videos.md) -# User management and access management +# Manage users and access ## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Set up HoloLens as a kiosk](hololens-kiosk.md) diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md index 9b554c0638..8cbbe10268 100644 --- a/devices/hololens/holographic-home.md +++ b/devices/hololens/holographic-home.md @@ -1,5 +1,5 @@ --- -title: Start menu and mixed reality home +title: Use the Start menu and mixed reality home description: Navigate the mixed reality home in Windows Holographic. ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c ms.date: 08/07/2019 @@ -15,7 +15,7 @@ appliesto: - HoloLens 2 --- -# Start menu and mixed reality home +# Use the Start menu and mixed reality home Just like the Windows PC experience starts with the desktop, Windows Holographic starts with mixed reality home. Using the Start menu you can open and place app windows, immersive app launchers, and 3D content in mixed reality home, and their placement in your physical space will be remembered. diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 89a01c0628..ec869cc67d 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -1,5 +1,5 @@ --- -title: Use your voice with HoloLens +title: Use your voice to operate HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed ms.date: 03/10/2020 @@ -17,7 +17,7 @@ appliesto: - HoloLens 2 --- -# Use your voice with HoloLens +# Use your voice to operate HoloLens You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app. Many voice commands are built into HoloLens, while others are available through Cortana. @@ -34,14 +34,14 @@ Get around HoloLens faster with these basic commands. In order to use these, you ### General speech commands -Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” +Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying "select." > [!NOTE] > Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | -| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. | +| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say "select" again. | |Open the Start menu | "Go to Start" | |Close the Start menu | "Close" | |Leave an immersive app | Say "Go to Start" to bring up the quick actions menu, then say "Mixed reality home." | diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md index 02c0a61b10..39e0029ff0 100644 --- a/devices/hololens/hololens2-autopilot.md +++ b/devices/hololens/hololens2-autopilot.md @@ -185,24 +185,7 @@ The Enrollment Status Page (ESP) displays the status of the complete device conf ![ESP configuration](./images/hololens-ap-profile-settings.png) -### 8. Configure a custom configuration profile for HoloLens devices (known issue) - -1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**. -1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**. -1. Select **Create**. -1. Enter a name for the profile, and then select **Settings** > **Configure**. - - ![Settings for the custom configuration profile.](./images/hololens-ap-profile-settings-oma.png) -1. Select **Add**, and then specify the following information: - - - **Name**: SidecarPath - - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState - - **Data type**: Integer - - **Value**: 2 -1. Select **OK** two times, and then select **Create** to create the profile. -1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices. - -### 9. Verify the profile status of the HoloLens devices +### 8. Verify the profile status of the HoloLens devices 1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**. 1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**. @@ -234,7 +217,7 @@ At the end of OOBE, you can sign in to the device by using your user name and pa ## Known Issues -- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md). +- You cannot install applications that use the device security context. ## Feedback diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 47862d7138..91a487f9a0 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -53,7 +53,7 @@ appliesto: | [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. | +| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) | Create a new support request for the business support team. | | [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. | ## Related resources diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index fb93b0e7d9..27c7053045 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -1,6 +1,6 @@ --- -title: "Create Surface Hub 2S device account" -description: "This page describes the procedure for creating the Surface Hub 2S device account." +title: Create Surface Hub 2S device account +description: This page describes the procedure for creating the Surface Hub 2S device account. keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library @@ -15,15 +15,18 @@ ms.localizationpriority: Medium # Create Surface Hub 2S device account -Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using Microsoft Teams or Skype for Business. Configure the device account during OOBE setup. If needed you can change it later (without going through OOBE setup). +Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using either Microsoft Teams or Skype for Business. Configure the device account during Out-of-Box Experience (OOBE) setup. If needed, you can change it later (without going through OOBE setup). Unlike standard Room mailboxes that remain disabled by default, you need to enable the Surface Hub 2S device account to sign on to Microsoft Teams and Skype for Business. Surface Hub 2S relies on Exchange ActiveSync, which requires an ActiveSync mailbox policy on the device account. Apply the default ActiveSync mailbox policy that comes with Exchange Online. -Create the account using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: +Create the account by using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: - Calendar processing for every Surface Hub device account. - Custom auto replies to scheduling requests. -- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy +- If the default ActiveSync mailbox policy has already been modified by someone else or by another process, you will likely have to create and assign a new ActiveSync mailbox policy. + +> [!NOTE] +> The Surface Hub device account doesn’t support third-party Federated Identity Providers (FIPs) and must be a standard Active Directory or Azure Active Directory account. ## Create account using Microsoft 365 admin center @@ -31,17 +34,17 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. 2. Provide a name and email address for the device account. Leave remaining settings unchanged in the default state. -![Provide a name and email address](images/sh2-account2.png) + ![Provide a name and email address](images/sh2-account2.png) -![Leave remaining settings unchanged in the default state](images/sh2-account3.png) + ![Leave remaining settings unchanged in the default state](images/sh2-account3.png) 3. Set the password for the device account. To set the password, choose **Users** and then select **Active Users**. Now search for the newly created user to set the password. Ensure that you **do not** select the option **Make this user change their password when they first sign in.** -![Set the password for the device account](images/sh2-account4.png) + ![Set the password for the device account](images/sh2-account4.png) 4. Assign the room with an Office 365 license. It’s recommended to assign the Office 365 **Meeting Room** license, a new option that automatically enables the account for Skype for Business Online and Microsoft Teams. -![Assign Office 365 license](images/sh2-account5.png) + ![Assign Office 365 license](images/sh2-account5.png) ### Finalize setup via PowerShell @@ -50,6 +53,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. - **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account. ## Create account using PowerShell + Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. ### Connect to Exchange Online PowerShell @@ -59,13 +63,13 @@ $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ImportResults = Import-PSSession $365Session ``` -### Create a new Room Mailbox +### Create a new Room mailbox ```powershell New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) ``` -### Set Calendar Auto processing +### Set Calendar auto-processing ```powershell Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub" @@ -81,7 +85,7 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co ## Connect to Skype for Business Online using PowerShell -### Install prerequisites +### Install pre-requisites - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe) - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 4599e50712..d44626e6a8 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,11 +9,11 @@ ms.sitesec: library author: coveminer ms.author: greglin ms.topic: article -ms.reviewer: scottmca +ms.reviewer: hachidan manager: laurawi ms.localizationpriority: medium audience: itpro -ms.date: 05/11/2020 +ms.date: 05/26/2020 --- # Microsoft Surface Enterprise Management Mode @@ -228,14 +228,27 @@ create a reset package using PowerShell to reset SEMM. ## Version History -The latest version of SEMM released May 11, 2020 includes: +### Version 2.71.139.0 + +This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including: + +- Enabling audio (locking/unlocking), Ethernet and USB ports +- Ability to create dock packages for both authenticated and unauthenticated hosts + +### Version 2.70.130.0 + +This version of SEMM includes: + - Support for Surface Go 2 - Support for Surface Book 3 - Bug fixes -### Version 2.59. -* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. -- Support to Wake on Power feature + +### Version 2.59.139.0 + +* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. + +- Support for Wake on Power feature ### Version 2.54.139.0 * Support to Surface Hub 2S diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md index c7a6729376..f4c72234bf 100644 --- a/mdop/mbam-v1/evaluating-mbam-10.md +++ b/mdop/mbam-v1/evaluating-mbam-10.md @@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi

Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.

-Note

You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

+Note

You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
    WITH PRIVATE KEY (
          FILE = 'C:\Backup\TDECertificateKey.pvk',
-         ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd');
+         ENCRYPTION BY PASSWORD = 'P@55w0rd');
 GO

MBAM 1.0 Deployment Prerequisites

Database Encryption in SQL Server 2008 Enterprise Edition

diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index d3fa4df77e..4b686d7c13 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -17,11 +17,6 @@ ms.localizationpriority: medium > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -
- -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - ## Browser policies @@ -4310,4 +4305,3 @@ Footnotes: - 6 - Added in Windows 10, version 1903. - diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 61fdb9257a..d915ec9aee 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -33,7 +33,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). -### Turn on Cortana enterprise services on employees devices +### Turn on Cortana enterprise services on employees' devices Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. #### Turn on Cortana enterprise services @@ -51,6 +51,6 @@ Cortana in Windows 10, versions 1909 and earlier can only access data in your Mi 2. Select the app launcher icon in the upper-left and choose **Admin**. -3. Expand **Settings** and select **Settings**. +3. Expand **Settings** and select **Org Settings**. 4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 9bdf2f0ae6..d5acf05280 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the |**Software** |**Minimum version** | |---------|---------| -|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. | +|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/en-us/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. | |Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. | |Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. | @@ -65,6 +65,9 @@ The table below describes the data handling for Cortana enterprise services. #### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana. + Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. @@ -85,4 +88,4 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro ## See also -- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) +- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index ae1cc6a4a5..de5e546244 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -14,6 +14,9 @@ manager: dansimp # Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. + 1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account. 2. Select the "…" menu and select **Talking to Cortana**. diff --git a/windows/configuration/images/Shared_PC_1.png b/windows/configuration/images/Shared_PC_1.png new file mode 100644 index 0000000000..bf145f6c19 Binary files /dev/null and b/windows/configuration/images/Shared_PC_1.png differ diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png new file mode 100644 index 0000000000..c9d2362634 Binary files /dev/null and b/windows/configuration/images/Shared_PC_2.png differ diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png new file mode 100644 index 0000000000..83b3a66fc8 Binary files /dev/null and b/windows/configuration/images/Shared_PC_3.png differ diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 95cf9806b1..289a37a0b6 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs: ### Customization -Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. +Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table. | Setting | Value | |:---|:---| @@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. +## Configuring Shared PC mode for Windows -## Configuring shared PC mode on Windows You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) -![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. + 1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home). + 2. Select **Devices** from the navigation. + 3. Under **Policy**, select **Configuration profiles**. + 4. Select **Create profile**. + 5. From the **Platform** menu, select **Windows 10 and later**. + 6. From the **Profile** menu, select **Shared multi-user device**. -![Shared PC settings in ICD](images/icd-adv-shared-pc.png) + ![custom OMA-URI policy in Intune](images/Shared_PC_1.png) + + 7. Select **Create**. + 8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so. + 9. Select **Next**. + 10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. + + ![Shared PC settings in ICD](images/Shared_PC_3.png) + + 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. + +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. + + ![Shared PC settings in ICD](images/icd-adv-shared-pc.PNG) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index d4e56af1b7..d67f31c871 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -268,7 +268,7 @@ #### [Conclusion](update/feature-update-conclusion.md) ### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) ### Use Windows Update for Business -#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) +#### [What is Windows Update for Business?](update/waas-manage-updates-wufb.md) #### [Configure Windows Update for Business](update/waas-configure-wufb.md) #### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md) #### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4e60ac99b8..c0a9cf3d49 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -50,8 +50,8 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support - [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index c6400f67e9..4872285d93 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -88,7 +88,6 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services > [!NOTE] > If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md new file mode 100644 index 0000000000..da1db27ff2 --- /dev/null +++ b/windows/deployment/update/create-deployment-plan.md @@ -0,0 +1,140 @@ +--- +title: Create a deployment plan +description: Devise the number of deployment rings you need and how you want to populate them +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Create a deployment plan + +A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. + +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline. + +At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. + +A common ring structure comprises three deployment groups: + +- Preview: Planning and development +- Limited: Pilot and validation +- Broad: Wide deployment + +> [!NOTE] +> Organizations often use different names for their “rings," for example: +> - First > Fast > Broad +> - Canaries > Early Adopters > Users +> - Preview > Broad > Critical + + +## How many rings should I have? + +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large +organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. + +## Advancing between rings + +There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based. + +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. + +When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal. + +## Preview ring + +The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, +generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update. + +> [!NOTE] +> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases. + + +### Who goes in the Preview ring? + +The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization. + +During your plan and prepare phases, these are the activities you should focus on: + +- Work with Windows Insider Preview builds. +- Identify the features and functionality your organization can or wants to use. +- Establish who will use the features and how they will benefit. +- Understand why you are putting the update out. +- Plan for usage feedback. + +Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. + +> [!IMPORTANT] +> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: +> - **Manage Preview Builds: 2 - Enable preview builds** +> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** + +## Limited ring + +The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop +Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. + +### Who goes in the Limited ring? + +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. + + +During your pilot and validate phases, these are the activities you should focus on: + +- Deploy new innovations. +- Assess and act if issues are encountered. +- Move forward unless blocked. + +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. + +## Broad deployment + +Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. + +### Who goes in the Broad deployment ring? + +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. + +> [!NOTE] +> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature +> updates to mission critical devices. + +During the broad deployment phase, these are the activities you should focus on: + +- Deploy to all devices in the organization. +- Work through any final unusual issues that were not detected in your Limited ring. + + +## Ring deployment planning + +Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. + + +[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +make informed decisions about the readiness of your Windows devices. + +In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. + +> [!IMPORTANT] +> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. + +### Deployment plan options + +There are two ways to implement a ring deployment plan, depending on how you manage your devices: + +- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide). + +For more about Desktop Analytics, see these articles: + +- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up) +- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10) +- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) +- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide) + diff --git a/windows/deployment/update/define-update-strategy.md b/windows/deployment/update/define-update-strategy.md new file mode 100644 index 0000000000..d8fd47ee87 --- /dev/null +++ b/windows/deployment/update/define-update-strategy.md @@ -0,0 +1,59 @@ +--- +title: Define update strategy +ms.reviewer: +manager: laurawi +description: +keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define update strategy + +Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. + +Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. + +Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly. + + + +## Calendar approaches + +You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. + + +### Annual + +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles: + +![annual calendar](images/annual-calendar.png) + +This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates. + +This cadence might be most suitable for you if any of these conditions apply: + +- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost. +- You want to wait and see how successful other companies are at adopting a Windows 10 feature update. +- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). + + +### Rapid + +This calendar shows an example schedule that installs each feature update as it is released, twice per year: + +![rapid calendar](images/rapid-calendar.png) + +This cadence might be best for you if these conditions apply: + +- You have a strong appetite for change. +- You want to continuously update supporting infrastructure and unlock new scenarios. +- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office. +- You have experience with feature updates for Windows 10. \ No newline at end of file diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md new file mode 100644 index 0000000000..5c33dd1377 --- /dev/null +++ b/windows/deployment/update/eval-infra-tools.md @@ -0,0 +1,71 @@ +--- +title: Evaluate infrastructure and tools +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Evaluate infrastructure and tools + +Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. + +## Infrastructure + +Do your deployment tools need updates? + +- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. + +Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. + +## Device settings + +Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. + +### Security baseline + +Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. + +- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. + +### Configuration updates + +There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. + +- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. {SET COMPLIANCE and other policies} + + +## Define operational readiness criteria + +When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating: + +- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. + +Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight. + +## Tasks + +Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks: + +- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined. +- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update. +- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update. +- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed. +- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure? +- **Define operational update plan**: Detail how your operational services and processes must change to support the update. diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png new file mode 100644 index 0000000000..a13d5393e6 Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png new file mode 100644 index 0000000000..1ff15bed76 Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png new file mode 100644 index 0000000000..35aec71626 Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md new file mode 100644 index 0000000000..a2ff53df19 --- /dev/null +++ b/windows/deployment/update/plan-define-readiness.md @@ -0,0 +1,115 @@ +--- +title: Define readiness criteria +ms.reviewer: +manager: laurawi +description: Identify important roles and figure out how to classify apps +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define readiness criteria + +## Figure out roles and personnel + +Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. + +### Process manager + +The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities: + + +|Compatibility workstream |Deployment |Capability and modernization | +|---------|---------|---------| +|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes | +|Application assessment | Validating infrastructure against requirements | Determining configuration changes | +|Device assessment | Creating infrastructure update plan | Create capability proposal | + +It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment. + + +This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed: + + +|Role |Responsibilities |Skills |Active phases | +|---------|---------|---------|---------| +|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment | +|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment | +|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare | +|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment | +|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment | +|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment | +|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment | + + + + + + +## Set criteria for rating apps + +Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise. + +In the Prepare phase, you'll apply the criteria you define now to every app in your organization. + +Here's a suggested classification scheme: + + +|Classification |Definition| +|---------|---------| +|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. | +|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. | +|Not important | There is no impact on the business if these apps are not available for a while. | + +Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority. + +Here's an example priority rating system; of course the specifics could vary for your organization: + + +|Priority |Definition | +|---------|---------| +|1 | Any issues or risks identified must be investigated and resolved as soon as possible. | +|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. | +|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. | +|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. | + +Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle. + +Here's an example: + + +|Severity |Effect | +|---------|---------| +|1 | Work stoppage or loss of revenue | +|2 | Productivity loss for a business unit | +|3 | Productivity loss for individual users | +|4 | Minimal impact on users | + +## Example: a large financial corporation + +Using the suggested scheme, a financial corporation might classify their apps like this: + + +|App |Classification | +|---------|---------| +|Credit processing app | Critical | +|Frontline customer service app | Critical | +|PDF viewer | Important | +|Image processing app | Not important | + +Further, they might combine this classification with severity and priority rankings like this: + + +|Classification |Severity |Priority |Response | +|---------|---------|---------|---------| +|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. | +|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. | +|Not important | 4 | 4 | Continue deployment for all devices. | + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md new file mode 100644 index 0000000000..29c3c93099 --- /dev/null +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -0,0 +1,76 @@ +--- +title: Determine application readiness +ms.reviewer: +manager: laurawi +description: How to test your apps to know which need attention prior to deploying an update +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Determine application readiness + +Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. + +## Validation methods + +You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment. + + +|Validation method |Description | +|---------|---------| +|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. | +|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. | +|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. | +|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | +|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. | + +Combining the various validation methods with the app classifications you've previously established might look like this: + + +|Validation method |Critical apps |Important apps |Not important apps | +|---------|---------|---------|---------| +|Full regression | x | | | +|Smoke testing | | x | | +|Automated testing | x | x | x | +|Test in pilot | x | x | x | + + +## Identify users + +Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: + +- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? +- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? +- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? + +You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. + +## Identify and set up devices for validation + +In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. + +There is more than one way to choose devices for app validation: + +- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. +- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. +- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. + + +## Desktop Analytics + +Desktop Analytics can make all of the tasks discussed in this article significantly easier: + +- Creating and maintaining an application and device inventory +- Assign owners to applications for testing +- Automatically apply your app classifications (critical, important, not important) +- Automatically identify application compatibility risks and provide recommendations for reducing those risks + +For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md new file mode 100644 index 0000000000..e224bce787 --- /dev/null +++ b/windows/deployment/update/update-policies.md @@ -0,0 +1,204 @@ +--- +title: Policies for update compliance, activity, and end-user experience +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Policies for update compliance, activity, and end-user experience +Keeping devices up to date is the best way to keep them working smoothly and securely. + +## Deadlines for update compliance + +You can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the +deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. + +### Deadlines + +Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 +and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. + +The older policies started enforcing deadlines once the device reached a “restart pending” state for +an update. The new policy starts the countdown for the update installation deadline from when the +update is published plus any deferral. In addition, this policy includes a configurable grace period and the option +to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic +restarts for maximum update velocity). + +> [!IMPORTANT] +> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, +> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. + +We recommend you set deadlines as follows: +- Quality update deadline, in days: 3 +- Feature update deadline, in days: 7 +- +Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded +later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you +do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you +have kiosks or digital signage. + +While three days for quality updates and seven days for feature updates is our recommendation, you might decide +you want more or less, depending on your organization and its requirements, and this policy is configurable down +to a minimum of two days. + + +> [!IMPORTANT] +> If the device is unable to reach the Internet, it can't determine when Microsoft +> published the update, so it won't be able to enforce the deadline. Learn more about [low activity devices](#device-activity-policies). + +### Grace periods + +You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This +is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not +be forced to update immediately when the user returns. + +We recommend you set the following: + +- Grace period, in days: 2 + +Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs +regardless of [active hours](#active-hours). + + +### Let Windows choose when to restart + +Windows can use user interactions to dynamically identify the least disruptive time for an +automatic restart. To take advantage of this feature, ensure **ConfigureDeadlineNoAutoReboot** is set to +**Disabled**. + +## Device activity policies + +Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two +of continuous activity {HOW DO YOU DEFINE ACTIVITY?}, in order to successfully complete a system update. The device could have other +physical circumstances that prevent successful installation of an update--for example, if a laptop is running low +on battery power, or the user has shut down the device before active hours end and the device cannot comply +with the deadline. + +You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. + +### Active hours + +"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of +these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. + +> [!IMPORTANT] +> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these +options must be **Disabled** in order to take advantage of intelligent active hours. + +If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update +velocity: + +- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged +in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we +recommend setting the following polices to **Disabled**: + - **Turn off auto-restart during active hours** + - **No auto-restart with logged on users for scheduled automatic updates** + + - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that +updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings. + +- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**: + - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) + - [Update/EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadline) + - [Update/EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadlineforfeatureupdates) + - [Update/EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozeschedule) + - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates) + - [Update/EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule) + +- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](https://docs.microsoft.com/mem/intune/protect/windows-update-settings#user-experience-settings). +- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. + +> [!IMPORTANT] +> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies: +>- [Configure active hours](waas-restart.md#configure-active-hours). Starting with Windows 10, version 1703, you can specify a maximum active-hour range which is counted from the active hours start time. We recommend setting +this value to **10**. +>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict. +> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We +recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins. +> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours. + +### Power policies + +Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: + +To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. + +You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. + +> [!NOTE] +> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. + +We recommend these power management settings: + +- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system +appears to be off but if an update is available, it can wake the device up in order to take an update. The +power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest +power level before shutdown). When a device is not being used, the system will generally move to sleep +mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is +too short and Windows does not have time to complete an update. Sleep mode is an important setting +because the system can wake the system from sleep in order to start the update process, as long as there +is enough power. + +Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode: +- [Power/AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +Set the following policies to **1 (Sleep)** so that when a user closes the lid of a device, the system goes to +sleep mode and the device has an opportunity to take an update: +- [Power/SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up +without user intervention, like pressing the power button. If a device is in this state, it cannot be updated +unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep +(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete. + +> [!NOTE] +> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates). + +The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation: + +- [Power/HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin) + +## Old or conflicting policies + +Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. + +> [!IMPORTANT] +> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are +> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. + +As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. + +> [!IMPORTANT] +> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up: +> - Windows updates: Group Policy settings take precedence over MDM. +> - Microsoft Intune: If you set different values for the same policy on two different groups, you will +> receive an alert and neither policy will be set until the conflict is resolved. +> It is crucial that you disable conflicting policies in order for devices in your organization to take updates as +> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar +> policy is set in Group Policy with a differing value. +> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be +> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. + +The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: +- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no +deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature +Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update. +- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days. +- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart. + +There are additional policies are no longer supported or have been superseded. See {LINK TO Policies and settings reference guide – Policies to disable or not configure} for more information. diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index a5d605d778..b4bb57aef5 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager boundary group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ac14bcf549..7bcf7c77c3 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se >[!NOTE] >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. +> [!NOTE] +> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings). + Quick-reference table: | Use case | Policy | Recommended value | Reason | @@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +> [!NOTE] +> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). + ### Large number of mobile devices @@ -139,7 +145,9 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. @@ -166,6 +174,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th #### Work with Delivery Optimization logs +**Starting in Windows 10, version 2004:** + +`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible files +- number of files with peers +- number of peering files [how different from the above?] +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these detauls about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + **Starting in Windows 10, version 1803:** `Get-DeliveryOptimizationLog [-Path ] [-Flush]` diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d37589c3e6..40cf29568f 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +## New in Windows 10, version 2004 + +- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: + +![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png) + +- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache). + + ## Requirements The following table lists the minimum Windows 10 version that supports Delivery Optimization: @@ -54,8 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | +| Office installations and updates | 2004 | +| Xbox game pass games | 2004 | +| MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +> [!NOTE] +> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). + + + @@ -124,6 +141,30 @@ For the payloads (optional): **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization handle VPNs?** +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy. + +If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. + +With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: + +Delivery Optimization service endpoint: +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 0e9f6ba908..e0d6464259 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Deploy updates using Windows Update for Business (Windows 10) +title: Windows Update for Business (Windows 10) ms.reviewer: manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. @@ -11,24 +11,118 @@ ms.author: jaimeo ms.topic: article --- -# Deploy updates using Windows Update for Business +# What is Windows Update for Business? **Applies to** - Windows 10 -- Windows Server 2016 -- Windows Server 2019 -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions. + +Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. +Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. + +## What can I do with Windows Update for Business? + +Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them. + +You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy). + + +### Manage deployment of Windows Updates +By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves. + +### Manage which updates are offered +Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates. + +## Types of updates managed by Windows Update for Business + +Windows Update for Business provides management policies for several types of updates to Windows 10 devices: + +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. + + +## Offering +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. + +### Manage when updates are offered +You can defer or pause the installation of updates for a set period of time. + +#### Enroll in pre-release updates + +The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview +- Semi-annual Channel + +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. + +#### Defer an update + +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. + + +|Category |Maximum deferral period | +|---------|---------| +|Feature updates | 365 days | +|Quality updates | 30 days | +|Non-deferrable | none | + + + +#### Pause an update + +If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. +If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. + +To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). + +Built in benefits: +When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. + +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. + +### Manage the end-user experience when receiving Windows Updates + +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. + +#### Recommended experience settings + +Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: + +1. Automatically download, install and restart (default if no restart policies are set up or enabled) +2. Use the default notifications +3. Set update deadlines + +##### Setting deadlines + +A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. + +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. + + + + +