deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

Browse Source
This commit is contained in:
jdeckerMS 2016-12-07 07:42:04 -08:00
commit 48776f29ea
18 changed files with 133 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -53,7 +53,7 @@ Use this procedure if you use Exchange on-prem.
```ps1
Set-ExecutionPolicy Unrestricted
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```

4
education/windows/take-a-test-multiple-pcs.md
View File

@ -17,8 +17,8 @@ author: jdeckerMS
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
- The clipboard is cleared.
- Take a Test shows just the test and nothing else.
- Take a Test clears the clipboard.
- Students arent able to go to other websites.
- Students cant open or access other apps.
- Students can't share, print, or record their screens.

4
education/windows/take-a-test-single-pc.md
View File

@ -17,8 +17,8 @@ author: jdeckerMS
The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
- The clipboard is cleared.
- Take a Test shows just the test and nothing else.
- Take a Test clears the clipboard.
- Students arent able to go to other websites.
- Students cant open or access other apps.
- Students can't share, print, or record their screens.

30
windows/deploy/upgrade-analytics-get-started.md
View File

@ -115,7 +115,9 @@ To ensure that user computers are receiving the most up to date data from Micros
## Run the Upgrade Analytics deployment script
To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
The Upgrade Analytics deployment script does the following:
@ -125,7 +127,7 @@ The Upgrade Analytics deployment script does the following:
3. Checks whether the computer has a pending restart.  
4. Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
5. If enabled, turns on verbose mode for troubleshooting.
@ -135,17 +137,15 @@ The Upgrade Analytics deployment script does the following:
To run the Upgrade Analytics deployment script:
1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
2. Edit the following parameters in RunConfig.bat:
1. Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
2. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
3. Input your commercial ID key.
4. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
>
@ -153,9 +153,7 @@ To run the Upgrade Analytics deployment script:
>
> *logMode = 2 log to file only*
3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
4. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
> *IEOptInLevel = 0 Internet Explorer data collection is disabled*
>
@ -165,9 +163,7 @@ To run the Upgrade Analytics deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
5. Notify users if they need to restart their computers. By default, this is set to off.
6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@ -197,8 +193,12 @@ The deployment script displays the following exit codes to let you know if it wa
<TR><TD>19<TD>This machine doesnt have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
<TR><TD>20<TD>Error writing RequestAllAppraiserVersions registry key.
<TR><TD>21<TD>Function SetRequestAllAppraiserVersions: Unexpected failure.
<TR><TD>22<TD>Error when running inventory scan.
<TR><TD>22<TD>RunAppraiser failed with unexpected exception.
<TR><TD>23<TD>Error finding system variable %WINDIR%.
<TR><TD>24<TD>SetIEDataOptIn failed when writing IEDataOptIn to registry.
<TR><TD>25<TD>SetIEDataOptIn failed with unexpected exception.
<TR><TD>26<TD>The operating system is LTSB SKU. The script does not support LTSB SKUs.
<TR><TD>27<TD>The operating system is Server SKU. The script does not support Server SKUs.
</TABLE>
</div>

4
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -51,6 +51,10 @@ You can use System Center Configuration Managers existing functionality to cr
a. Choose a predefined device collection to deploy the package to.
> [!NOTE]
> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.

2
windows/keep-secure/credential-guard.md
View File

@ -244,7 +244,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot

6
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -20,9 +20,9 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607.
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/).
>
>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
 
@ -376,4 +376,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 
 

22
windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
View File

@ -93,7 +93,7 @@ This section is an overview that describes different parts of the end-to-end sec
| Number | Part of the solution | Description |
| - | - | - |
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organizations tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
@ -125,7 +125,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation.
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
@ -202,8 +202,6 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device.
Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets.
### <a href="" id="virtual"></a>Virtualization-based security
@ -317,7 +315,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol
### Device health attestation
Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
@ -366,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba
<td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Trusted Platform Module (TPM) 2.0</p></td>
<td align="left"><p>Trusted Platform Module (TPM) </p></td>
<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security.</p></td>
</tr>
</tbody>
@ -380,7 +378,7 @@ As of today, many organizations only consider devices to be compliant with compa
The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
@ -404,7 +402,7 @@ This is the most secure approach available for Windows 10-based devices to dete
A relying party like an MDM can inspect the report generated by the remote health attestation service.
>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10.
>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
 
Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
@ -418,7 +416,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R
![figure 6](images/hva-fig6-logs.png)
When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
![figure 7](images/hva-fig7-measurement.png)
@ -438,7 +436,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
 
The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
3. The remote device heath attestation service then:
@ -457,7 +455,7 @@ The device health attestation solution involves different components that are TP
### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
*Its all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
@ -492,7 +490,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
>**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
 
The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.

2
windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -46,6 +46,7 @@ U.S. region:
- winatpfeedback.windows.com
- winatpmanagement.windows.com
- winatponboarding.windows.com
- winatpservicehealth.windows.com
EU region:
@ -57,6 +58,7 @@ EU region:
- winatpfeedback.windows.com
- winatpmanagement.windows.com
- winatponboarding.windows.com
- winatpservicehealth.windows.com
### Windows Defender ATP service shows event or error logs in the Event Viewer

1
windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
View File

@ -71,6 +71,7 @@ For information how to enforce or ignore the default and local lists of blocked
- [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb)
- [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb)
### <a href="" id="bkmk-tpmgp-idlb"></a>Ignore the default list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.

3
windows/keep-secure/windows-defender-block-at-first-sight.md
View File

@ -30,6 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
> [!NOTE]
> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.
In many cases this process can reduce the response time to new malware from hours to seconds.

1
windows/manage/TOC.md
View File

@ -2,6 +2,7 @@
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
### [Quick guide to Windows as a service](waas-quick-start.md)
### [Overview of Windows as a service](waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)

6
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,12 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## December 2016
| New or changed topic | Description |
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | New |
## November 2016
| New or changed topic | Description |

3
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -237,7 +237,8 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **
- For **Remote port**, choose **All ports**.
If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
### <a href="" id="bkmk-cortana-mdm"></a>2.2 Cortana and Search MDM policies

1
windows/manage/waas-overview.md
View File

@ -172,6 +172,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Quick guide to Windows as a service](waas-quick-start.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)

76
windows/manage/waas-quick-start.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Quick guide to Windows as a service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10 IoT Mobile
Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically dont run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
## Staying up to date
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

4
windows/manage/waas-servicing-branches-windows-10-updates.md
View File

@ -127,7 +127,7 @@ During the life of a device, it may be necessary or desirable to switch between
</tr>
<tr class="even">
<td align="left">Current Branch for Business</td>
<td align="left">Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
</tr>
<tr class="odd">
<td align="left">Long-Term Servicing Branch</td>
@ -153,7 +153,7 @@ During the life of a device, it may be necessary or desirable to switch between
</tr>
<tr class="even">
<td align="left">Current Branch</td>
<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will receive the latest Current Branch release.</td>
<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Branch release.</td>
</tr>
<tr class="odd">
<td align="left">Long-Term Servicing Branch</td>

1
windows/manage/waas-update-windows-10.md
View File

@ -27,6 +27,7 @@ Windows as a service provides a new way to think about building, deploying, and
| Topic | Description|
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |