deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

sMerge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into security-book-24

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-10-28 14:30:51 -04:00
parent d4e32b92d5 5b39307316
commit 52637a3481
42 changed files with 472 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -164,7 +164,7 @@ One or more values can be added as either fully qualified domain names (FQDN) or
<!-- DOCacheHost-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Clients don't talk to multiple Microsoft Connected Cache (MCC) servers at the same time. If you configure a list of MCC servers in this policy, the clients will round robin until they successfully connect to an MCC server. The clients have no way to determine if the MCC server has the content or not. If the MCC server doesn't have the content, it caches the content as it is handing the content back to the client.
> Clients don't talk to multiple Microsoft Connected Cache servers at the same time. If you configure a list of Connected Cache servers in this policy, the clients will round robin until they successfully connect to a Connected Cache server. The clients have no way to determine if the Connected Cache server has the content or not. If the Connected Cache server doesn't have the content, it caches the content as it is handing the content back to the client.
<!-- DOCacheHost-Editable-End -->
<!-- DOCacheHost-DFProperties-Begin -->
@ -578,7 +578,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
<!-- DODownloadMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The Delivery Optimization service on the clients checks to see if there are peers and/or an MCC server which contains the content and determines the best source for the content.
> The Delivery Optimization service on the clients checks to see if there are peers and/or a Connected Cache server which contains the content and determines the best source for the content.
<!-- DODownloadMode-Editable-End -->
<!-- DODownloadMode-DFProperties-Begin -->

29
windows/configuration/assigned-access/overview.md
View File

@ -298,35 +298,6 @@ To change the default time for Assigned Access to resume, add *IdleTimeOut* (DWO
The Breakout Sequence of <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence is <kbd>CTRL</kbd> + <kbd>ALT</kbd> + <kbd>A</kbd>, where <kbd>CTRL</kbd> + <kbd>ALT</kbd> are the modifiers, and <kbd>A</kbd> is the key value. To learn more, see [Create an Assigned Access configuration XML file](configuration-file.md).
### Keyboard shortcuts
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
| Keyboard shortcut | Action |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager |
| <kbd>WIN</kbd> + <kbd>,</kbd> (comma) | Temporarily peek at the desktop |
| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
| <kbd>WIN</kbd> + <kbd>Alt</kbd> + <kbd> D</kbd> | Display and hide the date and time on the desktop |
| <kbd>WIN</kbd> + <kbd>Ctrl</kbd> + <kbd> F</kbd> | Find computer objects in Active Directory |
| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>Shift</kbd> + <kbd> C</kbd> | Open Cortana in listening mode |
| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
| <kbd>LaunchApp1</kbd> | Open the app that is assigned to this key |
| <kbd>LaunchApp2</kbd> | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
| <kbd>LaunchMail</kbd> | Open the default mail client |
For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).
## Remove Assigned Access
Deleting the restricted user experience removes the policy settings associated with the users, but it can't revert all the configurations. For example, the Start menu configuration is maintained.

29
windows/configuration/assigned-access/policy-settings.md
View File

@ -112,3 +112,32 @@ The deny list is used to prevent the user from accessing the apps, which are cur
1. The default rule is to allow all users to launch the desktop programs signed with *Microsoft Certificate* for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
1. There's a predefined inbox desktop app deny list for the Assigned Access user account, which is updated based on the *desktop app allow list* that you defined in the Assigned Access configuration
1. Enterprise-defined allowed desktop apps are added in the AppLocker allow list
## Keyboard shortcuts
The following keyboard shortcuts are blocked for the user accounts with Assigned Access:
| Keyboard shortcut | Action |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| <kbd>Ctrl</kbd> + <kbd>Shift</kbd> + <kbd>Esc</kbd> | Open Task Manager |
| <kbd>WIN</kbd> + <kbd>,</kbd> (comma) | Temporarily peek at the desktop |
| <kbd>WIN</kbd> + <kbd>A</kbd> | Open Action center |
| <kbd>WIN</kbd> + <kbd>Alt</kbd> + <kbd> D</kbd> | Display and hide the date and time on the desktop |
| <kbd>WIN</kbd> + <kbd>Ctrl</kbd> + <kbd> F</kbd> | Find computer objects in Active Directory |
| <kbd>WIN</kbd> + <kbd>D</kbd> | Display and hide the desktop |
| <kbd>WIN</kbd> + <kbd>E</kbd> | Open File Explorer |
| <kbd>WIN</kbd> + <kbd>F</kbd> | Open Feedback Hub |
| <kbd>WIN</kbd> + <kbd>G</kbd> | Open Game bar when a game is open |
| <kbd>WIN</kbd> + <kbd>I</kbd> | Open Settings |
| <kbd>WIN</kbd> + <kbd>J</kbd> | Set focus to a Windows tip when one is available |
| <kbd>WIN</kbd> + <kbd>O</kbd> | Lock device orientation |
| <kbd>WIN</kbd> + <kbd>Q</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>R</kbd> | Open the Run dialog box |
| <kbd>WIN</kbd> + <kbd>S</kbd> | Open search |
| <kbd>WIN</kbd> + <kbd>Shift</kbd> + <kbd> C</kbd> | Open Cortana in listening mode |
| <kbd>WIN</kbd> + <kbd>X</kbd> | Open the Quick Link menu |
| <kbd>LaunchApp1</kbd> | Open the app that is assigned to this key |
| <kbd>LaunchApp2</kbd> | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator |
| <kbd>LaunchMail</kbd> | Open the default mail client |
For information on how to customize keyboard shortcuts, see [Assigned Access recommendations](recommendations.md#keyboard-shortcuts).

12
windows/deployment/do/TOC.yml
View File

@ -33,21 +33,21 @@
items:
- name: What is Microsoft Connected Cache?
href: waas-microsoft-connected-cache.md
- name: MCC for Enterprise and Education
- name: Microsoft Connected Cache for Enterprise and Education
items:
- name: MCC for Enterprise and Education Overview
- name: Connected Cache for Enterprise and Education Overview
href: mcc-ent-edu-overview.md
- name: Requirements
href: mcc-enterprise-prerequisites.md
- name: Deploy Microsoft Connected Cache
href: mcc-enterprise-deploy.md
- name: Update or uninstall MCC
- name: Update or uninstall Connected Cache
href: mcc-enterprise-update-uninstall.md
- name: Appendix
href: mcc-enterprise-appendix.md
- name: MCC for ISPs
- name: Microsoft Connected Cache for ISPs
items:
- name: MCC for ISPs Overview
- name: Connected Cache for ISPs Overview
href: mcc-isp-overview.md
- name: How-to guides
items:
@ -67,7 +67,7 @@
href: mcc-isp-vm-performance.md
- name: Support and troubleshooting
href: mcc-isp-support.md
- name: MCC for ISPs (early preview)
- name: Connected Cache for ISPs (early preview)
href: mcc-isp.md
- name: Endpoints for Microsoft Connected Cache content and services
href: delivery-optimization-endpoints.md

4
windows/deployment/do/delivery-optimization-configure.md
View File

@ -35,7 +35,7 @@ Use this checklist to guide you through different aspects when modifying Deliver
* System resources
* Improve P2P efficiencies
1. Using Connected Cache (MCC)
1. Using Microsoft Connected Cache
1. Choose where to set Delivery Optimization policies
## 1. Prerequisites to allow Delivery Optimization communication
@ -189,7 +189,7 @@ Regardless of P2P, consider setting the following policies to avoid network disr
> [!NOTE]
> The absolute policies are recommended in low bandwidth environments.
## 3. Using Connected Cache (MCC)
## 3. Using Connected Cache
:::image type="content" source="images/do-setup-connected-cache.png" alt-text="Screenshot of Delivery Optimization options when using Connected Cache." lightbox="images/do-setup-connected-cache.png":::

2
windows/deployment/do/delivery-optimization-troubleshoot.md
View File

@ -29,7 +29,7 @@ This article discusses how to troubleshoot Delivery Optimization.
- -HealthCheck: Provides an overall check of the device setup to ensure Delivery Optimization communication is possible on the device.
- -P2P: Provides output specific to P2P settings, efficiency, and errors.
- -MCC: Provides output specific to MCC settings and verifies the client can access the cache server.
- -MCC: Provides output specific to Microsoft Connected Cache settings and verifies the client can access the cache server.
## Common problems and solutions

2
windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
View File

@ -25,4 +25,4 @@ This file contains the images that are included in this GitHub repository that a
:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully.":::
:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state.":::
:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the Microsoft Connected Cache container in a failure state.":::

2
windows/deployment/do/includes/get-azure-subscription.md
View File

@ -14,6 +14,6 @@ ms.localizationpriority: medium
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input.
1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left.
1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service.
1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service.
1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name.
1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value.

12
windows/deployment/do/index.yml
View File

@ -32,7 +32,7 @@ landingContent:
url: waas-delivery-optimization.md
- text: What's new in Delivery Optimization
url: whats-new-do.md
- text: Microsoft Connected Cache (MCC) overview
- text: Microsoft Connected Cache overview
url: waas-microsoft-connected-cache.md
@ -63,25 +63,25 @@ landingContent:
url: /mem/intune/configuration/delivery-optimization-windows
# Card
- title: Microsoft Connected Cache (MCC) for Enterprise and Education
- title: Microsoft Connected Cache for Enterprise and Education
linkLists:
- linkListType: deploy
links:
- text: MCC for Enterprise and Education (early preview)
- text: Connected Cache for Enterprise and Education (early preview)
url: waas-microsoft-connected-cache.md
- text: Sign up
url: https://aka.ms/MSConnectedCacheSignup
# Card
- title: Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs)
- title: Microsoft Connected Cache for Internet Service Providers (ISPs)
linkLists:
- linkListType: deploy
links:
- text: MCC for ISPs (public preview)
- text: Connected Cache for ISPs (public preview)
url: mcc-isp-signup.md
- text: Sign up
url: https://aka.ms/MCCForISPSurvey
- text: MCC for ISPs (early preview)
- text: Connected Cache for ISPs (early preview)
url: mcc-isp.md

32
windows/deployment/do/mcc-ent-edu-overview.md
View File

@ -1,6 +1,6 @@
---
title: MCC for Enterprise and Education Overview
description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
title: Microsoft Connected Cache for Enterprise and Education Overview
description: Overview, supported scenarios, and content types for Microsoft Connected Cache for Enterprise and Education.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@ -23,9 +23,9 @@ ms.date: 05/23/2024
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> - As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. Connected Cache can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
Microsoft Connected Cache for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
## Supported scenarios
@ -47,27 +47,27 @@ For the full list of content endpoints that Microsoft Connected Cache for Enterp
## How it works
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It's built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC is a Linux IoT Edge module running on the Windows Host OS.
Connected Cache is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It's built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. Connected Cache is a Linux IoT Edge module running on the Windows Host OS.
1. The Azure Management Portal is used to create MCC nodes.
1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
1. The Azure Management Portal is used to create Connected Cache nodes.
1. The Connected Cache container is deployed and provisioned to the server using the installer provided in the portal.
1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
1. Microsoft end-user devices make range requests for content from the MCC node.
1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Microsoft end-user devices make range requests for content from the Connected Cache node.
1. The Connected Cache node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will now come from cache.
1. If the MCC node is unavailable, the client pulls content from CDN to ensure uninterrupted service for your subscribers.
1. If the Connected Cache node is unavailable, the client pulls content from CDN to ensure uninterrupted service for your subscribers.
The following diagram displays an overview of how MCC functions:
The following diagram displays an overview of how Connected Cache functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of Connected Cache." lightbox="./images/waas-mcc-diag-overview.png":::
## IoT Edge
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
Even though your Connected Cache scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated Connected Cache device and performs management and communication operations. The runtime performs several functions important to manage Connected Cache on your edge device:
1. Installs and updates MCC on your edge device.
1. Installs and updates Connected Cache on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
1. Ensures that MCC is always running.
1. Reports MCC health and usage to the cloud for remote monitoring.
1. Ensures that Connected Cache is always running.
1. Reports Connected Cache health and usage to the cloud for remote monitoring.
For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).

24
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -1,6 +1,6 @@
---
title: Appendix for MCC for Enterprise and Education
description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education.
title: Appendix for Microsoft Connected Cache for Enterprise and Education
description: This article contains reference information for Microsoft Connected Cache for Enterprise and Education.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference
@ -49,11 +49,11 @@ To learn more about how to configure Intel and AMD processors to support nested
## Diagnostics Script
If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug.
If you're having issues with your Microsoft Connected Cache, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the Connected Cache team to debug.
To run this script:
1. Navigate to the following folder in the MCC installation files:
1. Navigate to the following folder in the Connected Cache installation files:
mccinstaller > Eflow > Diagnostics
@ -66,7 +66,7 @@ To run this script:
1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\<currentpath\>**\mccdiagnostics\support_bundle_\$timestamp.tar.gz
1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
1. [Email the Connected Cache team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
## IoT Edge runtime
@ -82,15 +82,15 @@ communication operations. The runtime performs several functions:
For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
## Routing local Windows clients to an MCC
## Routing local Windows clients to a Connected Cache
### Get the IP address of your MCC using ifconfig
### Get the IP address of your Connected Cache using ifconfig
There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the Connected Cache.
#### Registry key
You can either set your MCC IP address or FQDN using:
You can either set your Connected Cache IP address or FQDN using:
1. Registry key (version 1709 and later):
`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
@ -107,19 +107,19 @@ You can either set your MCC IP address or FQDN using:
`.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`.
1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the Connected Cache using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your Connected Cache, such as `10.137.187.38`.
:::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
## Verify content using the DO client
To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:
To verify that the Delivery Optimization client can download content using Connected Cache, you can use the following steps:
1. Download a game or application from the Microsoft Store.
:::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected.":::
1. Verify downloads came from MCC by one of two methods:
1. Verify downloads came from Connected Cache by one of two methods:
- Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*.

80
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -1,6 +1,6 @@
---
title: Deploying your cache node
description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Azure portal.
description: How to deploy a Microsoft Connected Cache for Enterprise and Education cache node from the Azure portal.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -18,34 +18,34 @@ ms.date: 05/23/2024
# Deploy your cache node
This article describes how to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node.
This article describes how to deploy a Microsoft Connected Cache for Enterprise and Education cache node.
## Steps to deploy MCC
## Steps to deploy Connected Cache
To deploy MCC to your server:
To deploy Connected Cache to your server:
1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id)
1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
1. [Create an MCC Node](#create-an-mcc-node-in-azure)
1. [Create the Connected Cache Resource in Azure](#create-the-connected-cache-resource-in-azure)
1. [Create a Connected Cache Node](#create-a-connected-cache-node-in-azure)
1. [Edit Cache Node Information](#edit-cache-node-information)
1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Install Connected Cache on a physical server or VM](#install-connected-cache-on-windows)
1. [Verify Connected Cache functionality](#verify-connected-cache-server-functionality)
1. [Review common Issues](#common-issues) if needed.
### Provide Microsoft with the Azure subscription ID
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
As part of the Connected Cache preview onboarding process an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
### Create the Connected Cache resource in Azure
The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
The Connected Cache Azure management portal is used to create and manage Connected Cache nodes. An Azure subscription ID is used to grant access to the preview and to create the Connected Cache resource in Azure and Cache nodes.
Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
Once you take the survey above and the Connected Cache team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
1. In the Azure portal home page, choose **Create a resource**:
@ -56,23 +56,23 @@ Once you take the survey above and the MCC team adds your subscription ID to the
> [!NOTE]
> You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result.
1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource.
1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the Connected Cache resource.
:::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache.":::
:::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace.":::
1. Fill in the required fields to create the MCC resource.
1. Fill in the required fields to create the Connected Cache resource.
- Choose the subscription that you provided to Microsoft.
- Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group.
- Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
- Choose **(US) West US** for the location of the resource. This choice won't impact Connected Cache if the physical location isn't in the West US, it's just a limitation of the preview.
> [!IMPORTANT]
> Your MCC resource will not be created properly if you do not select **(US) West US**
> Your Connected Cache resource will not be created properly if you do not select **(US) West US**
- Choose a name for the MCC resource.
- Your MCC resource must not contain the word **Microsoft** in it.
- Choose a name for the Connected Cache resource.
- Your Connected Cache resource must not contain the word **Microsoft** in it.
:::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace.":::
@ -87,9 +87,9 @@ Once you take the survey above and the MCC team adds your subscription ID to the
:::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location.":::
### Create an MCC node in Azure
### Create a Connected Cache node in Azure
Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal.
Creating a Connected Cache node is a multi-step process and the first step is to access the Connected Cache early preview management portal.
1. After the successful resource creation, select **Go to resource**.
1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**.
@ -112,7 +112,7 @@ Creating an MCC node is a multi-step process and the first step is to access the
If there are errors, the form will provide guidance on how to correct the errors.
Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section.
Once the Connected Cache node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-connected-cache-on-windows) section.
:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script.":::
@ -122,18 +122,18 @@ Cache nodes can be deleted here by selecting the check box to the left of a **Ca
:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page.":::
### Install MCC on Windows
### Install Connected Cache on Windows
Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks:
Installing Connected Cache on your Windows device is a simple process. A PowerShell script performs the following tasks:
- Installs the Azure CLI
- Downloads, installs, and deploys EFLOW
- Enables Microsoft Update so EFLOW can stay up to date
- Creates a virtual machine
- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by Connected Cache, and port 22 is used for SSH communications.
- Configures Connected Cache tuning settings.
- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
- Deploys the MCC container to server.
- Deploys the Connected Cache container to server.
#### Run the installer
@ -145,9 +145,9 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
- **installmcc.ps1**: Main installer file.
- **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance.
- **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane.
- **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes.
- **updatemcc.ps1**: The update script used to upgrade MCC to a particular version.
- **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support Connected Cache control plane.
- **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the Connected Cache container and configure settings on the container, such as cache drive location sizes.
- **updatemcc.ps1**: The update script used to upgrade Connected Cache to a particular version.
- **mccupdate.json**: Used as part of the update script
1. Open Windows PowerShell as administrator then navigate to the location of these files.
@ -159,7 +159,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
>
> Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported.
1. **If you're installing MCC on a local virtual machine**, turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
1. **If you're installing Connected Cache on a local virtual machine**, turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
1. Enable nested virtualization:
```powershell
@ -215,7 +215,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
> [!NOTE]
> Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
> Choosing a dynamic IP address might assign a different IP address when the Connected Cache restarts. A static IP address is recommended so you don't have to change this value in your management solution when Connected Cache restarts.
The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
@ -239,7 +239,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
<!-- Insert Image 5 -->
:::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
<!-- Remove: If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
<!-- Remove: If this is your first Connected Cache deployment, select **n** so that a new IoT Hub can be created. If you have already configured Connected Cache before, choose **y** so that your Connected Caches are grouped in the same IoT Hub.
1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
@ -252,17 +252,17 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
1. Your MCC deployment is now complete.
1. Your Connected Cache deployment is now complete.
If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
If you don't see any errors, continue to the next section to validate your Connected Cache deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- After validating your Connected Cache is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your Connected Cache.
- If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
## Verify MCC server functionality
## Verify Connected Cache server functionality
#### Verify client side
Connect to the EFLOW VM and check if MCC is properly running:
Connect to the EFLOW VM and check if Connected Cache is properly running:
1. Open PowerShell as an Administrator.
2. Enter the following commands:
@ -275,7 +275,7 @@ Connect to the EFLOW VM and check if MCC is properly running:
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
You should see Connected Cache, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not Connected Cache, try this command in a few minutes. The Connected Cache container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
```bash
@ -287,7 +287,7 @@ See the [common issues](#common-issues) section for more information.
#### Verify server side
To validate that MCC is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
To validate that Connected Cache is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
```powershell
wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
@ -305,7 +305,7 @@ Similarly, enter the following URL from a browser in the network:
If the test fails, see the [common issues](#common-issues) section for more information.
### Intune (or other management software) configuration for MCC
### Intune (or other management software) configuration for Connected Cache
For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
@ -327,7 +327,7 @@ If you're seeing errors similar to this error: `The term Get-<Something> isn't r
**Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
#### Verify Running MCC Container
#### Verify Running Connected Cache Container
Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:

16
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -1,6 +1,6 @@
---
title: Requirements for MCC for Enterprise and Education
description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education.
title: Requirements for Microsoft Connected Cache for Enterprise and Education
description: Overview of prerequisites and recommendations for using Microsoft Connected Cache for Enterprise and Education.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@ -21,14 +21,14 @@ ms.date: 05/23/2024
> [!NOTE]
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
## Enterprise requirements for MCC
## Enterprise requirements for Connected Cache
1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
1. **Azure subscription**: Connected Cache management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
Your Azure subscription ID is first used to provision Connected Cache services, and enable access to the preview. The Connected Cache server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
1. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
1. **Hardware to host Connected Cache**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
@ -42,13 +42,13 @@ ms.date: 05/23/2024
- Using an SSD is recommended as cache read speed of SSD is superior to HDD
NIC requirements:
- Multiple NICs on a single MCC instance aren't supported.
- Multiple NICs on a single Connected Cache instance aren't supported.
- 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
- For best performance, NIC and BIOS should support SR-IOV.
VM networking:
- An external virtual switch to support outbound and inbound network communication (created during the installation process)
1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your Connected Cache to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
## Sizing recommendations

20
windows/deployment/do/mcc-enterprise-update-uninstall.md
View File

@ -1,6 +1,6 @@
---
title: Uninstall MCC for Enterprise and Education
description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
title: Uninstall Microsoft Connected Cache for Enterprise and Education
description: Details on how to uninstall Microsoft Connected Cache for Enterprise and Education for your environment.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -17,15 +17,15 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 05/23/2024
---
<!-- Customers will no longer update the private preview and instead install public preview
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
Throughout the preview phase, we'll send you security and feature updates for Connected Cache. Follow these steps to perform the update.
## Update MCC
## Update Connected Cache
Run the following command with the **arguments** we provided in the email to update your MCC:
Run the following command with the **arguments** we provided in the email to update your Connected Cache:
```powershell
# .\updatemcc.ps1 version="**\<VERSION\>**" tenantid="**\<TENANTID\>**" customerid="**\<CUSTOMERID\>**" cachenodeid="**\<CACHENODEID\>**" customerkey="**\<CUSTOMERKEY\>**"
@ -37,9 +37,9 @@ For example:
# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a"
```
-->
# Uninstall MCC
# Uninstall Microsoft Connected Cache
Contact the MCC Team before uninstalling to let us know if you're facing issues.
Contact the Connected Cache Team before uninstalling to let us know if you're facing issues.
This script removes the following items:
@ -47,9 +47,9 @@ This script removes the following items:
1. IoT Edge
1. Edge Agent
1. Edge Hub
1. MCC
1. Connected Cache
1. Moby CLI
1. Moby Engine
To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT
To delete Connected Cache, go to Control Panel \> Uninstall a program \> Select Azure IoT
Edge LTS \> Uninstall

6
windows/deployment/do/mcc-isp-cache-node-configuration.md
View File

@ -27,8 +27,8 @@ All cache node configuration takes place within Azure portal. This article outli
| Field Name | Expected Value| Description |
| -- | --- | --- |
| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Server IP address** | IPv4 address | IP address of your Microsoft Connected Cache server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your Connected Cache based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
## Storage
@ -42,6 +42,6 @@ All cache node configuration takes place within Azure portal. This article outli
| Field Name | Expected Value| Description |
| -- | --- | --- |
| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the Connected Cache server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |

18
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -84,7 +84,7 @@ To set up and enable BGP routing for your cache node, follow the steps below:
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
- If you choose **Manual routing**, enter your address range/CIDR blocks.
- If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for MCC. MCC will be automatically assigned as the same ASN as the neighbor.
- If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for Microsoft Connected Cache. Connected Cache will be automatically assigned as the same ASN as the neighbor.
> [!NOTE]
> **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established.
@ -96,12 +96,12 @@ Once the user executes the cache server provisioning script, resources are creat
#### IoT Edge
IoT Edge performs several functions important to manage MCC on your edge device:
IoT Edge performs several functions important to manage Connected Cache on your edge device:
1. Installs and updates MCC on your edge device.
1. Installs and updates Connected Cache on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
1. Ensures that MCC is always running.
1. Reports MCC health and usage to the cloud for remote monitoring.
1. Ensures that Connected Cache is always running.
1. Reports Connected Cache health and usage to the cloud for remote monitoring.
#### Docker container engine
@ -121,7 +121,7 @@ There are five IDs that the device provisioning script takes as input in order t
#### Provision your server
> [!IMPORTANT]
> Have you correctly mounted your disk? Your MCC will not be successfully installed without this important step. Before provisioning your server, ensure your disk is correctly mounted by following the instructions here: [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
> Have you correctly mounted your disk? Your Connected Cache will not be successfully installed without this important step. Before provisioning your server, ensure your disk is correctly mounted by following the instructions here: [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
@ -145,8 +145,8 @@ There are five IDs that the device provisioning script takes as input in order t
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Server IP address** | IPv4 address | IP address of your Connected Cache server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your Connected Cache based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
### Storage fields
@ -164,6 +164,6 @@ There are five IDs that the device provisioning script takes as input in order t
| Field Name | Expected Value| Description |
|---|---|---|
| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the Connected Cache server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |

8
windows/deployment/do/mcc-isp-faq.yml
View File

@ -28,7 +28,7 @@ sections:
- question: What will Microsoft Connected Cache do for me? How will it impact our customers?
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
- question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network?
answer: MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
- question: Is there a non-disclosure agreement to sign?
answer: No, a non-disclosure agreement isn't required.
- question: What are the prerequisites and hardware requirements?
@ -79,7 +79,7 @@ sections:
- question: Is IPv6 supported?
answer: No, we don't currently support IPV6. We plan to support it in the future.
- question: Is Microsoft Connected Cache stable and reliable?
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of Connected Cache before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What CDNs does Microsoft Connected Cache pull content from?
@ -99,7 +99,7 @@ sections:
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender `microsoft-noreply@microsoft.com`.
- question: I noticed I can set up BGP for routing. How does BGP routing work for Microsoft Connected Cache?
answer: BGP routing can be set up as an automatic method of routing traffic. To learn more about how BGP is used with Microsoft Connected Cache, see [BGP Routing](mcc-isp-create-provision-deploy.md#bgp-routing).
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
- question: I have an active Connected Cache, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my Connected Cache performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the Connected Cache functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. Connected Cache will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your Connected Cache and the daily quota was reached, your Connected Cache might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).

30
windows/deployment/do/mcc-isp-overview.md
View File

@ -1,6 +1,6 @@
---
title: MCC for ISPs Overview
description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content.
title: Microsoft Connected Cache for ISPs Overview
description: Overview of Microsoft Connected Cache for ISPs. Learn about how Connected Cache works, supported scenarios, and supported content.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview
@ -18,7 +18,7 @@ ms.date: 05/23/2024
# Microsoft Connected Cache for ISPs overview
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
Microsoft Connected Cache for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. Connected Cache can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, Connected Cache can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Supported scenarios
@ -41,40 +41,40 @@ For the full list of content endpoints that Microsoft Connected Cache for ISPs s
### Are you already peering with 8075?
MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
:::image type="content" source="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png" alt-text="Chart containing Peering vs Cache Content Traffic." lightbox="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png":::
## How MCC works
## How Connected Cache works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
The following steps describe how MCC is provisioned and used:
The following steps describe how Connected Cache is provisioned and used:
1. The Azure portal is used to create and manage MCC nodes.
1. The Azure portal is used to create and manage Connected Cache nodes.
1. A shell script is used to provision the server and deploy the MCC application.
1. A shell script is used to provision the server and deploy the Connected Cache application.
1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the Connected Cache server.
- The publicly accessible IPv4 address of the server is configured on the portal.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the Connected Cache node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the Connected Cache node.
> [!NOTE]
> Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding Connected Cache node.
1. Microsoft clients make the range requests for content from the MCC node.
1. Microsoft clients make the range requests for content from the Connected Cache node.
1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. A Connected Cache node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will be served from cache.
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
1. If the Connected Cache node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
### Hardware recommendation

6
windows/deployment/do/mcc-isp-support.md
View File

@ -36,7 +36,7 @@ During sign-up, a verification code is sent to your NOC email address present in
#### Unable to re-sign up
Delete any MCC resource that you're using before you resign up for the service. Deleting any existing MCC resource unlocks your ASN, which allows you to successfully sign up.
Delete any Microsoft Connected Cache resource that you're using before you resign up for the service. Deleting any existing Connected Cache resource unlocks your ASN, which allows you to successfully sign up.
### Cache Node Errors
@ -100,9 +100,9 @@ iotedge check -verbose
## Diagnose and Solve Problems
If this article isn't resolving the issue you're facing with your cache node, you can use the **Diagnose and solve problems** functionality within your MCC resource to continue troubleshooting. **Diagnose and solve problems** contains solutions to most common problems that users might face as they onboard.
If this article isn't resolving the issue you're facing with your cache node, you can use the **Diagnose and solve problems** functionality within your Connected Cache resource to continue troubleshooting. **Diagnose and solve problems** contains solutions to most common problems that users might face as they onboard.
You can find **Diagnose and solve problems** on the left pane within your MCC resource.
You can find **Diagnose and solve problems** on the left pane within your Connected Cache resource.
:::image type="content" source="images/mcc-isp-diagnose-solve.png" alt-text="A screenshot of Azure portal showing the Diagnose and Solve problems tab on the left hand pane of Azure portal." lightbox="images/mcc-isp-diagnose-solve.png":::

4
windows/deployment/do/mcc-isp-update.md
View File

@ -33,7 +33,7 @@ To view which version your cache nodes are currently on, navigate to the **Cache
There are two main steps required to uninstall your cache node:
1. Remove your cache node from Azure portal
1. Run the uninstall script to cleanly remove MCC from your server
1. Run the uninstall script to cleanly remove Microsoft Connected Cache from your server
You must complete both steps to ensure a clean uninstall of your cache node.
@ -50,7 +50,7 @@ The **uninstallmcc.sh** script removes the following components:
- IoT Edge
- Edge Agent
- Edge Hub
- MCC
- Connected Cache
- Moby CLI
- Moby engine

2
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -49,7 +49,7 @@ Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the *
It can take a few minutes for the container to deploy after you've saved the configuration.
To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `<CacheServerIP>` with the IP address of the cache server.
To validate a properly functioning Microsoft Connected Cache, run the following command in the terminal of the cache server or any device in the network. Replace `<CacheServerIP>` with the IP address of the cache server.
```bash
wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com

8
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -25,7 +25,7 @@ The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- Multiple NICs on a single Microsoft Connected Cache instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
@ -55,9 +55,9 @@ Change the following settings to maximize the egress in virtual environments:
1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations:
- The BIOS of the MCC virtual machine
- The network card properties of the MCC virtual machine
- The hypervisor for the MCC virtual machine
- The BIOS of the Connected Cache virtual machine
- The network card properties of the Connected Cache virtual machine
- The hypervisor for the Connected Cache virtual machine
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.

154
windows/deployment/do/mcc-isp.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Connected Cache for ISPs
description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
description: This article contains details about the early preview for Microsoft Connected Cache for Internet Service Providers (ISPs).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -24,57 +24,57 @@ appliesto:
## Overview
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
Microsoft Connected Cache preview is a software-only caching solution that delivers Microsoft content within operator networks. Connected Cache can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
## How MCC works
## How Connected Cache works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
The following steps describe how MCC is provisioned and used:
The following steps describe how Connected Cache is provisioned and used:
1. The Azure Management Portal is used to create and manage MCC nodes.
1. The Azure Management Portal is used to create and manage Connected Cache nodes.
1. A shell script is used to provision the server and deploy the MCC application.
1. A shell script is used to provision the server and deploy the Connected Cache application.
1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the Connected Cache server.
- The publicly accessible IPv4 address of the server is configured on the portal.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
- **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the Connected Cache node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
- **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the Connected Cache node.
> [!NOTE]
> Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding Connected Cache node.
1. Microsoft clients make the range requests for content from the MCC node.
1. Microsoft clients make the range requests for content from the Connected Cache node.
1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. A Connected Cache node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will be served from cache.
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
1. If the Connected Cache node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
## ISP requirements for MCC
## ISP requirements for Connected Cache
Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
<!-- ### Azure subscription
The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services.
The Connected Cache management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services.
> [!NOTE]
> If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses.
Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends.
Your Azure subscription ID is first used to provision Connected Cache services and enable access to the preview. The Connected Cache server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends.
The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions.
### Hardware to host the MCC
### Hardware to host the Connected Cache
This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
@ -87,12 +87,12 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- Multiple NICs on a single Connected Cache instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
### Sizing recommendations
The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
The Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
| Component | Minimum | Recommended |
|---|---|---|
@ -102,28 +102,28 @@ The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a
| Memory | 8 GB | 32 GB or greater |
| Cores | 4 | 8 or more | -->
<!-- ## Steps to deploy MCC
<!-- ## Steps to deploy Connected Cache
To deploy MCC:
To deploy Connected Cache:
1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id)
2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
2. [Create the Connected Cache Resource in Azure](#create-the-mcc-resource-in-azure)
3. [Create a Cache Node](#create-an-mcc-node-in-azure)
4. [Configure Cache Node Routing](#edit-cache-node-information)
5. [Install MCC on a physical server or VM](#install-mcc)
6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server)
5. [Install Connected Cache on a physical server or VM](#install-mcc)
6. [Verify properly functioning Connected Cache server](#verify-properly-functioning-mcc-server)
7. [Review common issues if needed](#common-issues)
## Provide Microsoft with your Azure subscription ID
As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft.
As part of the Connected Cache preview onboarding process, an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
### Create the Connected Cache resource in Azure
The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and cache nodes.
The Connected Cache Azure management portal is used to create and manage Connected Cache nodes. An Azure subscription ID is used to grant access to the preview and to create the Connected Cache resource in Azure and cache nodes.
Operators who have been given access to the program will be sent a link to the Azure portal, which will allow you to create this resource.
@ -140,20 +140,20 @@ Operators who have been given access to the program will be sent a link to the A
> [!IMPORTANT]
> Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**.
1. Select **Create** on the next screen to start the process of creating the MCC resource.
1. Select **Create** on the next screen to start the process of creating the Connected Cache resource.
:::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service.":::
1. Fill in the following required fields to create the MCC resource:
1. Fill in the following required fields to create the Connected Cache resource:
- Choose the **Subscription** that you provided to Microsoft.
- Azure resource groups are logical groups of resources. Create a new **Resource group** and choose a name for it.
- Choose **(US) West US** for the **Location** of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
- Choose **(US) West US** for the **Location** of the resource. This choice won't impact Connected Cache if the physical location isn't in the West US, it's just a limitation of the preview.
> [!NOTE]
> Your MCC resource won't create properly if you don't select **(US) West US**.
> Your Connected Cache resource won't create properly if you don't select **(US) West US**.
- Specify a **Connected Cache Resource Name**.
@ -173,13 +173,13 @@ If you get the error message "Validation failed" in the Azure portal, it's likel
If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot:
- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource.
- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create a Connected Cache resource.
- Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource.
- If the issue persists, clear your browser cache and start in a new window.
### Create an MCC node in Azure
### Create a Connected Cache node in Azure
1. After you successfully create the resource, select **Go to resource**.
@ -196,9 +196,9 @@ If you get the error message "Could not create marketplace item" in the Azure po
| Field name | Expected value | Description |
|--|--|--|
| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
| **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* |
| **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. |
| **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` |
| **Server IP Address** | IPv4 Address | IP address of your Connected Cache server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* |
| **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your Connected Cache based on the specifications of your hardware. For example, `10,000` Mbps. |
| **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the Connected Cache server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` |
| **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests. </br>**Disable** prevents the cache node from receiving content requests. </br>Cache nodes are enabled by default. |
:::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page.":::
@ -213,7 +213,7 @@ If you get the error message "Could not create marketplace item" in the Azure po
| Field name | Description |
|--|--|
| **IP Space** | Number of IP addresses that will be routed to your cache server. |
| **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. |
| **Activation Keys** | Set of keys to activate your cache node with the Connected Cache services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. |
1. Enter the information to create the cache node, and then select **Create**.
@ -229,13 +229,13 @@ See the following example with all information entered:
:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered.":::
Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section.
Once you create the Connected Cache node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section.
:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions.":::
### IP address space approval
There are three states for IP address space. MCC configuration supports BGP and has automatic routing capabilities.
There are three states for IP address space. Connected Cache configuration supports BGP and has automatic routing capabilities.
- **Valid**: The IP address space is approved.
@ -255,23 +255,23 @@ There are three states for IP address space. MCC configuration supports BGP and
:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal.":::
To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node.
To modify the configuration for existing Connected Cache nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node.
:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields.":::
To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. -->
<!-- ## Install MCC
<!-- ## Install Connected Cache
To install MCC on your physical server or VM, you use a Bash script installer, which runs the following tasks:
To install Connected Cache on your physical server or VM, you use a Bash script installer, which runs the following tasks:
- Installs the Moby engine and CLI.
- Installs IoT Edge.
- Installs SSH to support remote access to the server.
- Enables the firewall and opens port 80 for inbound and outbound traffic. The MCC uses port 80.
- Enables the firewall and opens port 80 for inbound and outbound traffic. The Connected Cache uses port 80.
- Configures Connected Cache tuning settings.
- Creates the necessary free Azure resource: IoT Hub/IoT Edge.
- Deploys the MCC container to the server.
- Deploys the Connected Cache container to the server.
> [!IMPORTANT]
> Make sure that the following ports are open so that Microsoft can verify proper functionality of the cache server:
@ -283,7 +283,7 @@ To install MCC on your physical server or VM, you use a Bash script installer, w
> - 5671: IoT Edge communication/container management
> - 8883: IoT Edge communication/container management
### Steps to install MCC
### Steps to install Connected Cache
Before you start, make sure that you have a data drive configured on your server. You'll need to specify the location for this cache drive during this process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
@ -296,8 +296,8 @@ Before you start, make sure that you have a data drive configured on your server
- Diagnostics folder: Used to create diagnostics support bundle.
- **installmcc.sh**: Main installer file.
- **installIotEdge.sh**: Installs the necessary prerequisites. For example, IoT Edge runtime and Docker. It also makes necessary host OS settings to optimize caching performance.
- **resourceDeploymentForConnectedCache.sh**: Creates Azure cloud resources required to support the MCC control plane.
- **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container. It also configures settings on the container like cache drives location and sizes.
- **resourceDeploymentForConnectedCache.sh**: Creates Azure cloud resources required to support the Connected Cache control plane.
- **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the Connected Cache container. It also configures settings on the container like cache drives location and sizes.
- **mccupdate.json**
- **packagever.txt**
- **uninstallmcc.sh**: Main uninstaller file.
@ -345,9 +345,9 @@ Before you start, make sure that you have a data drive configured on your server
1. Specify whether you have an existing IoT Hub.
- If this process is for your *first MCC deployment*, enter `n`.
- If this process is for your *first Connected Cache deployment*, enter `n`.
- If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue.
- If you already have a Connected Cache deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue.
:::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png":::
@ -355,16 +355,16 @@ Before you start, make sure that you have a data drive configured on your server
1. Enter the number of BGP neighbors you want to configure.
1. Enter the IP address for the neighbor.
1. Enter the ASN corresponding to that neighbor. This value should be the same ASN as the MCC -iBGP connection.
1. Enter the ASN corresponding to that neighbor. This value should be the same ASN as the Connected Cache -iBGP connection.
1. Repeat these steps for each neighbor you need to configure.
> [!NOTE]
> With the BGP configuration, you're essentially setting up an iBGP neighbor in your public ASN. For example, when you initiate the BGP session from the router to the cache node, you would use your own ASN.
1. BGP is now configured from the MCC side. From your end, establish a neighborship from your router to MCC's host machine. Use the IP address of the host machine that's running the MCC container.
1. BGP is now configured from the Connected Cache side. From your end, establish a neighborship from your router to Connected Cache's host machine. Use the IP address of the host machine that's running the Connected Cache container.
1. Make sure there aren't any firewall rules blocking this connection.
1. Verify that the BGP connection has been established and that you're advertising routes to the MCC.
1. Verify that the BGP connection has been established and that you're advertising routes to the Connected Cache.
1. Wait five minutes to refresh the cache node page in the Azure portal to see the BGP routes.
1. Confirm the update is complete by running the following command.
@ -373,9 +373,9 @@ Before you start, make sure that you have a data drive configured on your server
sudo iotedge list
```
Make sure MCC is running on the latest version. If you only see **edgeAgent** and **edgeHub**, wait five minutes and run this command again.
Make sure Connected Cache is running on the latest version. If you only see **edgeAgent** and **edgeHub**, wait five minutes and run this command again.
1. Make sure MCC is reachable. Replace `<CacheServerIp>` with the IP address of your MCC or localhost.
1. Make sure Connected Cache is reachable. Replace `<CacheServerIp>` with the IP address of your Connected Cache or localhost.
```bash
wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
@ -387,7 +387,7 @@ Before you start, make sure that you have a data drive configured on your server
:::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP.":::
1. If there are no errors, go to the next section to verify the MCC server.
1. If there are no errors, go to the next section to verify the Connected Cache server.
If there are errors:
@ -395,7 +395,7 @@ Before you start, make sure that you have a data drive configured on your server
- For more information, see [Troubleshoot your IoT Edge device](/azure/iot-edge/troubleshoot). -->
## Verify properly functioning MCC server
## Verify properly functioning Connected Cache server
### Verify client side
@ -421,7 +421,7 @@ For example, this command provides the current status of the starting and stoppi
It can take a few minutes for the container to deploy.
To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `<CacheServerIP>` with the IP address of the cache server.
To validate a properly functioning Connected Cache, run the following command in the terminal of the cache server or any device in the network. Replace `<CacheServerIP>` with the IP address of the cache server.
```bash
wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
@ -511,11 +511,11 @@ To configure the device to work with your DNS, use the following steps:
<!-- ### Diagnostics script
If you're having issues with your MCC, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file.
If you're having issues with your Connected Cache, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file.
To run the script:
1. Navigate to the following folder in the MCC installation files:
1. Navigate to the following folder in the Connected Cache installation files:
`mccinstaller > MccResourceInstall > Diagnostics`
@ -526,15 +526,15 @@ To run the script:
sudo ./collectMccDiagnostics.sh
```
1. The script stores all the debug files into a folder and creates a tar file. After the script is finished running, it displays the path of the tar file that you can share with the MCC team. The file should be `/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz`
1. The script stores all the debug files into a folder and creates a tar file. After the script is finished running, it displays the path of the tar file that you can share with the Connected Cache team. The file should be `/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz`
1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. -->
1. [Email the Connected Cache team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. -->
<!-- ## Updating your MCC
<!-- ## Updating your Connected Cache
Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC.
Throughout the early preview phase, Microsoft will release security and feature updates for Connected Cache. Follow these steps to update your Connected Cache.
Run the following commands, replacing the variables with the values provided in the email to update your MCC:
Run the following commands, replacing the variables with the values provided in the email to update your Connected Cache:
```bash
sudo chmod +x updatemcc.sh
@ -548,20 +548,20 @@ For example:
sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa"
``` -->
<!-- ### Configure BGP on an Existing MCC
<!-- ### Configure BGP on an Existing Connected Cache
If you have an MCC that's already active and running, follow the steps below to configure BGP.
If you have a Connected Cache that's already active and running, follow the steps below to configure BGP.
1. Run the Update commands as described above.
1. Sign in with your Azure credentials using the device code.
1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). -->
1. To finish configuring your Connected Cache with BGP routing, continue from Step 10 of [Steps to Install Connected Cache](#steps-to-install-mcc). -->
## Uninstalling MCC
## Uninstalling Connected Cache
In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls MCC and all the related components. Before you run this script, contact the MCC team. Only run it if you're facing issues with MCC installation.
In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Connected Cache and all the related components. Before you run this script, contact the Connected Cache team. Only run it if you're facing issues with Connected Cache installation.
> [!WARNING]
> Be cautious before running this script. It will also erase existing IoT workflows in this VM.
@ -571,7 +571,7 @@ The **uninstallmcc.sh** script removes the following components:
- IoT Edge
- Edge Agent
- Edge Hub
- MCC
- Connected Cache
- Moby CLI
- Moby engine
@ -589,25 +589,25 @@ sudo ./uninstallmcc.sh
<!--Using include file, get-azure-subscription.md, for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
### Performance of MCC in virtual environments
### Performance of Connected Cache in virtual environments
In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change the following two settings:
1. Enable **SR-IOV** in the following three locations:
- The BIOS of the MCC VM
- The MCC VM's network card properties
- The hypervisor for the MCC VM
- The BIOS of the Connected Cache VM
- The Connected Cache VM's network card properties
- The hypervisor for the Connected Cache VM
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
2. Enable "high performance" in the BIOS instead of energy savings. Microsoft has found this setting nearly doubled egress in a Microsoft Hyper-V deployment.
### Grant other users access to manage your MCC
### Grant other users access to manage your Connected Cache
More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource.
For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*.
For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *Connected Cache resource* and *Connected Cache resource group*.
### Setting up a VM on Windows Server
@ -708,7 +708,7 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an
>
> :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected.":::
Your Ubuntu VM is now ready to install MCC.
Your Ubuntu VM is now ready to install Connected Cache.
### IoT Edge runtime

12
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -17,7 +17,7 @@ metadata:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 09/10/2024
ms.date: 10/15/2024
title: Frequently Asked Questions about Delivery Optimization
summary: |
This article answers frequently asked questions about Delivery Optimization.
@ -42,6 +42,7 @@ summary: |
**Peer-to-peer related questions**:
- [How does Delivery Optimization determine which content is available for peering?](#how-does-delivery-optimization-determine-which-content-is-available-for-peering)
- [Where does Delivery Optimization get content from first?](#where-does-delivery-optimization-get-content-from-first)
- [Does Delivery Optimization use multicast?](#does-delivery-optimization-use-multicast)
- [How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?](#how-does-delivery-optimization-deal-with-congestion-on-the-router-from-peer-to-peer-activity-on-the-lan)
- [How does Delivery Optimization handle VPNs?](#how-does-delivery-optimization-handle-vpns)
@ -112,8 +113,8 @@ sections:
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and Microsoft Connected Caches allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies?
answer: |
The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
@ -128,6 +129,11 @@ sections:
- question: How does Delivery Optimization determine which content is available for peering?
answer: |
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: Where does Delivery Optimization get content from first?
answer: |
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, the client connects to both Connected Cache and peers in parallel. There is no prioritization between the two. Once downloading starts in parallel, Delivery Optimization
will taper off requests to the HTTP source (CDN or Connected Cache) when the peer connections are able to reach the target download speed. For background downloads, Delivery Optimization will drop HTTP connections if peers are meeting the minimum QoS speed. To manage delaying the default behavior
there are a collection of policies that can be used. For more information, see [Delivery Optimization delay policies](waas-delivery-optimization-reference.md#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources).
- question: Does Delivery Optimization use multicast?
answer: |
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.

4
windows/deployment/do/waas-delivery-optimization-monitor.md
View File

@ -24,7 +24,7 @@ To monitor Delivery Optimization, you can use either the Windows Update for Busi
## Monitor with Windows Update for Business Delivery Optimization report
Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache, HTTP source/CDN distribution over the past 28 days.
:::image type="content" source="../update/media/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox= "../update/media/wufb-do-overview.png":::
@ -49,7 +49,7 @@ For details, see [Windows Update for Business Delivery Optimization Report](/win
| BytesFromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, **which includes BytesFromCacheServer** |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
| BytesFromCacheServer | Total number of bytes received from cache server (Connected Cache) |
| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes are registered in 'BytesFromLANPeers'.) |
| BytesFromInternetPeers | Total number of bytes received from internet peers |

14
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -14,7 +14,7 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 05/23/2024
ms.date: 10/15/2024
---
# Delivery Optimization reference
@ -96,19 +96,19 @@ More options available that control the impact Delivery Optimization has on your
#### Policies to prioritize the use of peer-to-peer and cache server sources
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to both Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or Connected Cache sources by delaying the immediate fallback to HTTP source, which is the default behavior.
##### Peer-to-peer delay fallback settings
- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
##### Microsoft Connected Cache (MCC) delay fallback settings
##### Microsoft Connected Cache delay fallback settings
- [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server.
- [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server.
**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
**If both peer-to-peer and Connected Cache are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the Connected Cache cache server.
#### System resource usage
@ -245,13 +245,13 @@ The default behaviors differ between Windows 10 and Windows 11. In Windows 10, t
MDM Setting: **DODelayForegroundDownloadFromHttp**
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't configured.**
Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. **By default, this policy isn't configured.**
### Delay background download from HTTP (in secs)
MDM Setting: **DODelayBackgroundDownloadFromHttp**
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't configured.**
Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. **By default, this policy isn't configured.**
### Delay foreground download cache server fallback (in secs)

8
windows/deployment/do/waas-delivery-optimization.md
View File

@ -24,7 +24,7 @@ ms.date: 05/23/2024
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
@ -47,7 +47,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Client
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@ -66,14 +66,14 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Server
| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|----------------|--------------------------|----------------|----------|----------------|
| Windows Update | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
#### Linux (Public Preview)
| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------------|----------------|-----------------|--------------|---------------|
| Device Update for IoT Hub | Ubuntu 18.04, 20.04 / Debian 9, 10 | :heavy_check_mark: | | :heavy_check_mark: |
> [!NOTE]

8
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Connected Cache overview
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
description: This article provides information about Microsoft Connected Cache, a software-only caching solution.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview
@ -33,16 +33,16 @@ Both products are created and managed in the cloud portal.
> [!NOTE]
> Microsoft Connected Cache for Internet Service Providers is now in public preview. To onboard, follow the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article.
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
Microsoft Connected Cache for Internet Service Providers is currently in preview. Connected Cache can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, Connected Cache can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
## Microsoft Connected Cache for Enterprise and Education (early preview)
> [!NOTE]
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
Microsoft Connected Cache for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. Connected Cache can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For Microsoft Connected Cache in Configuration Manager (generally available starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache)
Microsoft Connected Cache for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For Microsoft Connected Cache in Configuration Manager (generally available starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache)
## Next steps

8
windows/deployment/do/whats-new-do.md
View File

@ -22,9 +22,9 @@ This article contains information about what's new in Delivery Optimization, a p
## Microsoft Connected Cache (early preview)
Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content within Enterprise networks. Connected Cache can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
For more information about Connected Cache, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
There are two different versions:
@ -39,12 +39,12 @@ There are two different versions:
- -HealthCheck: Provides an overall check of the device setup to ensure Delivery Optimization communication is possible on the device.
- -P2P: Provides output specific to P2P settings, efficiency, and errors.
- -MCC: Provides output specific to MCC settings and verifies the client can access the cache server.
- -MCC: Provides output specific to Connected Cache settings and verifies the client can access the cache server.
### Windows 11 22H2
- New setting: Customize VPN detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your VPN. By using the new VpnKeywords setting, you can add keywords for Delivery Optimization to use to detect when a VPN is in use. You can find this configuration **[VPN Keywords](waas-delivery-optimization-reference.md#vpn-keywords)** in Group Policy or MDM under **DOVpnKeywords**.
- New setting: Use the disallow downloads from a connected cache server, when a VPN is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from MCC over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn)** in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
- New setting: Use the disallow downloads from a connected cache server, when a VPN is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from Connected Cache over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn)** in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
- Delivery Optimization introduced support for receiver side ledbat (rLEDBAT).
- New setting: Local Peer Discovery, a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** in Group Policy or MDM **DORestrictPeerSelectionBy**. This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD).

BIN
windows/deployment/update/images/waas-active-hours.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

42
windows/deployment/update/media-dynamic-update.md
View File

@ -13,7 +13,7 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
ms.date: 07/10/2024
ms.date: 10/15/2024
---
# Update Windows installation media with Dynamic Update
@ -84,24 +84,24 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
|-----------------------------------|-------------------|--------------------------------|------------------|-----------|
|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
|Add language pack | 2 | 10 | 18 | |
|Add localized optional packages | 3 | | 19 | |
|Add font support | 4 | | 20 | |
|Add text-to-speech | 5 | | 21 | |
|Update Lang.ini | | | 22 | |
|Add Features on Demand | | 11 | | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
|Add setup.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 12 | 23 | |
|Clean up the image | 7 | 13 | 24 | |
|Add Optional Components | | 14 | | |
|Add .NET and .NET cumulative updates | | 15 | | |
|Export image | 8 | 16 | 25 | |
|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
|-------------------------------------------|-------------------|--------------------------------|------------------|-----------|
|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
|Add language pack | 2 | 10 | 18 | |
|Add localized optional packages | 3 | | 19 | |
|Add font support | 4 | | 20 | |
|Add text-to-speech | 5 | | 21 | |
|Update Lang.ini | | | 22 | |
|Add Features on Demand | | 11 | | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 12 | 23 | |
|Clean up the image | 7 | 13 | 24 | |
|Add Optional Components | | 14 | | |
|Add .NET and .NET cumulative updates | | 15 | | |
|Export image | 8 | 16 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
@ -434,7 +434,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@ -586,7 +586,7 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe and boot manager files using the previously saved versions from WinPE.
```powershell
#

16
windows/deployment/update/update-policies.md
View File

@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -16,7 +16,7 @@ ms.date: 12/31/2017
# Policies for update compliance, activity, and user experience
Keeping devices up to date is the best way to keep them working smoothly and securely.
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@ -94,7 +94,7 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
@ -110,7 +110,7 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@ -119,7 +119,7 @@ this value to **10**.
>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict.
> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We
recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins.
> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
### Power policies
@ -166,7 +166,7 @@ The default timeout on devices that support traditional sleep is set to three ho
## Old or conflicting policies
Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
> [!IMPORTANT]
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
@ -174,7 +174,7 @@ Each release of Windows client can introduce new policies to make the experience
As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
> [!IMPORTANT]
> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
> - Windows updates: Group Policy settings take precedence over MDM.
> - Microsoft Intune: If you set different values for the same policy on two different groups, you will
@ -194,4 +194,4 @@ Updates** rather than setting a deferral policy. You can choose a longer period
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
There are also additional policies are no longer supported or have been superseded.
There are also additional policies that are no longer supported or have been superseded.

207
windows/deployment/update/waas-restart.md
View File

@ -1,6 +1,6 @@
---
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
description: Use group policy settings, mobile device management (MDM), or registry to configure when devices will restart after a Windows update is installed.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -14,38 +14,42 @@ ms.localizationpriority: medium
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/04/2024
ms.date: 10/25/2024
---
# Manage device restarts after updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
You can use group policy settings, mobile device management (MDM), or the Windows registry to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts shouldn't occur, or you can do both.
> [!NOTE]
> Directly editing the Windows registry isn't recommended.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
In group policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
To set the time, go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then use **Scheduled install time** to enter a time. Alternatively, you can specify that installation occurs during the automatic maintenance time. To configure this alternative method, use **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**.
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
The setting to **Always automatically restart at the scheduled time** forces a restart after the specified installation time. It lets you configure a timer to warn a signed-in user that a restart is going to occur.
While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
While not recommended, you can achieve the same result with the Windows registry. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and set the install time with `ScheduledInstallTime`. Enable `AlwaysAutoRebootAtScheduledTime` and specify the delay in minutes through `AlwaysAutoRebootAtScheduledTimeMinutes`. Similar to group policy, `AlwaysAutoRebootAtScheduledTimeMinutes` sets the timer to warn a signed-in user that a restart is going to occur.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Delay automatic reboot
## Delay automatic restart
When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
When you enable **Configure Automatic Updates** in group policy, you can also enable one of the following policies to delay an automatic restart after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4 - Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
> When using Remote Desktop Protocol (RDP) connections, only active RDP sessions are considered signed-in users. Devices that don't have locally signed-in users, or active RDP sessions, are restarted.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
You can also use the Windows registry, to prevent automatic restarts when a user is signed in. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and enable `NoAutoRebootWithLoggedOnUsers`. As with group policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
@ -53,166 +57,177 @@ For a detailed description of these registry keys, see [Registry keys used to ma
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
By default, active hours are from 8 AM to 5 PM on PCs. Users can manually change the active hours.
Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
You can also specify the max active hours range. The specified range is counted from the active hours start time.
Administrators can use multiple ways to set active hours for managed devices:
### Configure active hours with group policy
- You can use Group Policy, as described in the procedure that follows.
- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
To configure active hours using group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
### Configuring active hours with Group Policy
:::image type="content" source="images/waas-active-hours-policy.png" alt-text="A screenshot of the group policy setting to 'Turn off auto-restart for updates during active hours' set to Enabled and the default active hours specified." lightbox="images/waas-active-hours-policy.png":::
To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
### Configure active hours with MDM
![Use Group Policy to configure active hours.](images/waas-active-hours-policy.png)
To configure active hours, MDM uses the following settings in the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update):
### Configuring active hours with MDM
- [ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart)
- [ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend)
- [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange)
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) to configure active hours.
### Configure active hours through the Windows registry
### Configuring active hours through Registry
This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
This method isn't recommended, and should only be used when you can't use group policy or MDM. Any settings configured through the registry might conflict with any existing configuration that uses any of the other methods.
Configure active hours by setting a combination of the following registry values:
Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours.
Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate` use `SetActiveHours` to enable or disable active hours and `ActiveHoursStart` and `ActiveHoursEnd` to specify the range of active hours.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
>[!NOTE]
>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
>
>![Change active hours.](images/waas-active-hours.png)
> [!TIP]
> To manually configure active hours on a device, go to **Settings** > **Windows Update** > **Advanced options** and select **Active hours**.
### Configuring active hours max range
### Configure active hours maximum range
With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
You can specify the maximum active hours range that users can set. This option gives you flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updates to install. The maximum range is calculated from the active hours start time.
To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
To configure the maximum range for active hours through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the setting to **Specify active hours range for auto-restarts**.
To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange).
To configure the maximum range for active hours through MDM, use [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange).
## Limit restart delays
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
After Windows installs an update, it attempts to automatically restart outside of active hours. If the restart doesn't succeed after a default period of seven days, the user sees a notification that a restart is required. To change the delay, use the setting to **Specify deadline before auto-restart for update installation**. The minimum value is two days and the maximum value is two weeks (14 days).
## Control restart notifications
### Display options for update notifications
Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
You can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed.
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy for **Display options for update notifications**. Configure the following values:
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
- `0` (default): Use the default Windows Update notifications.
- `1`: Turn off most notifications but keep restart warnings.
- `2`: Turn off all notifications including restart warnings.
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as another option for **Display options for update notifications**. When you select **Apply only during active hours**, the notifications are only disabled during active hours when you use options `1` or `2`. To ensure that the device stays updated, a notification is still shown during active hours if you select **Apply only during active hours**, and once a deadline is reached when you configure [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md). <!--6286260-->
### Auto restart notifications
To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
### Automatic restart notifications
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
You can override the default behavior for the automatic restart required notification. By default, this notification dismisses automatically.
To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
- To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy to **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
- To configure this behavior through MDM, use [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-csp-update#autorestartrequirednotificationdismissal).
To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
You can also configure the period before an update that this notification shows up. The default value is 15 minutes.
To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartNotificationSchedule).
- To change it through group policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
- To change it through MDM, use [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-csp-update#autorestartnotificationschedule).
In some cases, you don't need a notification to show up.
To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
- To do so through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the setting to **Turn off auto-restart notifications for update installations**.
To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
- To do so through MDM, use [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-csp-update#setautorestartnotificationdisable).
### Scheduled auto restart warnings
### Scheduled automatic restart warnings
Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
Since users aren't able to postpone a scheduled restart once the deadline is reached, you can configure a warning reminder before the scheduled restart. You can also configure a warning before the restart, to notify users once the restart is imminent and allow them to save their work.
To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
To configure both through group policy, find the setting to **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning before an imminent automatic restart can be configured by **Warning (mins)**.
In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
In MDM, to configure the warning reminder, use [ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#schedulerestartwarning). To configure the automatic restart imminent warning, use [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#scheduleimminentrestartwarning).
### Engaged restart
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the default seven day period ends, Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
* Period of time before auto restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
You can adjust the following settings for engaged restart:
In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
- Period of time before automatic restart transitions to engaged restart.
In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartDeadline) respectively.
- The number of days that users can snooze engaged restart reminder notifications.
## Group Policy settings for restart
- The number of days before a pending restart automatically executes outside of working hours.
In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
In group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and use the setting to **Specify engaged restart transition and notification schedule for updates**.
In MDM, use the following policies:
- [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestarttransitionschedule)
- [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestartsnoozeschedule)
- [EngagedRestartDeadline](/windows/client-management/mdm/policy-csp-update#engagedrestartdeadline)
## Group policy settings for restart
In the group policy editor, the policy settings for restart behavior are in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't restart. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when you configure the policy to **Configure Automatic Updates** to schedule the installation. |
| Re-prompt for restart with scheduled installations | No | |
| Delay Restart for scheduled installations | No | |
| Reschedule Automatic Updates scheduled installations | No | |
>[!NOTE]
>You can only choose one path for restart behavior.
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
>When using RDP, only active RDP sessions are considered as logged on users.
> [!NOTE]
>
> - You can only choose one path for restart behavior.
> - If you set conflicting restart policies, the actual restart behavior may not be what you expected.
> - When using RDP, only active RDP sessions are considered as signed-in users.
## Registry keys used to manage restart
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
The following tables list registry values that correspond to the group policy settings for controlling restarts after updates in Windows 10.
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate`
| Registry key | Key type | Value |
| --- | --- | --- |
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates</br>3: automatically download and notify for installation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on</br>1: don't reboot after an update installation if a user is logged on</br>**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour </br> starts with 12 AM (0) and ends with 11 PM (23) |
| `ActiveHoursEnd` | `REG_DWORD` | `0-23`: Set active hours to end at a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
| `ActiveHoursStart` | `REG_DWORD` | `0-23`: Set active hours to start at a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`.) |
| `SetActiveHours` | `REG_DWORD` | `0`: Disable automatic restart after updates outside of active hours. </br>`1`: Enable automatic restart after updates outside of active hours. |
### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`
| Registry key | Key type | Value |
| --- | --- | --- |
| `AlwaysAutoRebootAtScheduledTime` | `REG_DWORD` | `0`: Disable automatic restart after update installation at the scheduled time. </br>`1`: Enable automatic restart after update installation at a scheduled time. |
| `AlwaysAutoRebootAtScheduledTimeMinutes` | `REG_DWORD` | `15-180`: Set automatic restart to occur after the specified number of minutes. |
| `AUOptions` | `REG_DWORD` | `2`: Notify for download and notify for installation of updates. </br>`3`: Automatically download and notify for installation of updates. </br>`4`: Automatically download and schedule installation of updates. </br>`5`: Allow the local administrator to configure these settings. </br>**Note:** To configure restart behavior, set this value to `4`. |
| `NoAutoRebootWithLoggedOnUsers` | `REG_DWORD` | `0`: If users are signed in, automatically restart ("disable don't reboot"). </br>`1`: If a user is signed in, don't restart after an update installation. </br>**Note:** If disabled (`0`), Automatic Updates notifies the user that the computer is scheduled to automatically restart in five minutes to complete the installation. |
| `ScheduledInstallTime` | `REG_DWORD` | `0-23`: Schedule update installation time to a specific hour. </br>It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
There are three different registry combinations for controlling restart behavior:
- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
- To set active hours:
- `SetActiveHours` should be `1`.
- Then to define the time range, use `ActiveHoursStart` and `ActiveHoursEnd`.
- To schedule a specific installation and restart time:
- `AUOptions` should be `4`.
- `ScheduledInstallTime` should specify the installation time.
- Set `AlwaysAutoRebootAtScheduledTime` to `1`.
- `AlwaysAutoRebootAtScheduledTimeMinutes` should specify the number of minutes to wait before restarting.
- To delay restarting if a user is signed in:
- `AUOptions` should be `4`.
- Set `NoAutoRebootWithLoggedOnUsers` to `1`.
## More resources
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Manage Windows 10 and Windows 11 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure)
- [Walkthrough: use group policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Manage Windows software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)

10
windows/deployment/update/wufb-reports-do.md
View File

@ -42,12 +42,12 @@ Windows Update for Business reports uses the following Delivery Optimization ter
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **Microsoft Connected Cache**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
@ -68,7 +68,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- % Connected Cache Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
@ -88,7 +88,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- Volume by P2P = BytesFromPeers + BytesFromGroupPeers
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by MCC = BytesFromCache
- Volume by Connected Cache = BytesFromCache
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by CDN = BytesFrom CDN
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
@ -150,7 +150,7 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount
### Delivery Optimization Supported Content Types
There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/MCC support types.
There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/Connected Cache support types.
| Content Category | Content Types Included |
| --- | --- |

2
windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
View File

@ -27,7 +27,7 @@ UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records acro
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |

4
windows/deployment/update/wufb-reports-schema-ucdostatus.md
View File

@ -1,7 +1,7 @@
---
title: UCDOStatus data schema
titleSuffix: Windows Update for Business reports
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and Microsoft Connected Cache bandwidth utilization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference
@ -27,7 +27,7 @@ UCDOStatus provides information, for a single device, on its bandwidth utilizati
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -180,8 +180,8 @@ The **Delivery Optimization** tab provides a summarized view of bandwidth effici
At the top of the report, tiles display the following information:
- Total bandwidth savings percentage
- The percentage of the saved bandwidth broken down by peer-to-peer and MCC
- Device counts showing percentages of bytes delivered between peer-to-peer and MCC
- The percentage of the saved bandwidth broken down by peer-to-peer and Microsoft Connected Cache
- Device counts showing percentages of bytes delivered between peer-to-peer and Connected Cache
- The breakdown of total downloaded GBs.
The Delivery Optimization tab is further divided into the following groups:

6
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
View File

@ -81,10 +81,8 @@ If Windows Autopatch detects a significant issue with a release, we might decide
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
1. In the **Windows updates** blade, select the **Quality updates** tab.
1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause, or **Resume** from the dropdown menu.
1. Optional. Enter the justification about why you're pausing or resuming the selected update.
1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update.
1. In the **Windows updates** blade, select the **Update rings** tab.
1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause**, or **Resume** from the dropdown menu.
1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings.
1. Select **Pause or Resume deployment**.

6
windows/security/application-security/application-control/app-control-for-business/appcontrol.md
View File

@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
ms.date: 09/11/2024
ms.date: 10/25/2024
ms.topic: overview
---
@ -30,9 +30,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## App Control and Smart App Control
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control. App control enables enterprise customers to create a policy that offers the same security and compatibility as Smart App Control with the capability to customize policies to run line-of-business (LOB) apps. To make it easier to implement policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|

10
windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
View File

@ -16,13 +16,13 @@ This article describes how to deploy App Control for Business policies using scr
You should now have one or more App Control policies converted into binary form. If not, follow the steps described in [Deploying App Control for Business policies](appcontrol-deployment-guide.md).
> [!IMPORTANT]
> Due to a known issue, you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
> Due to a known issue in Windows 11 updates earlier than 2024 (24H2), you should always activate new **signed** App Control Base policies with a reboot on systems with [**memory integrity**](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
>
> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
## Deploying policies for Windows 11 22H2 and above
## Deploying policies for Windows 11 22H2 and above, and Windows Server 2025 and above
You can use the inbox [CiTool](../operations/citool-commands.md) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **&lt;Path to policy binary file to deploy&gt;** in the following example with the actual path to your App Control policy binary file.
You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace `<Path to policy binary file to deploy>` in the following example with the actual path to your App Control policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
@ -58,7 +58,7 @@ To use this procedure, download and distribute the [App Control policy refresh t
## Deploying policies for all other versions of Windows and Windows Server
Use WMI to apply policies on all other versions of Windows and Windows Server.
Use WMI to deploy policies on all other versions of Windows and Windows Server.
1. Initialize the variables to be used by the script.
@ -82,7 +82,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
## Deploying signed policies
If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned App Control policies don't need to be present in the EFI partition.
If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition.
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:

12
windows/security/application-security/application-control/app-control-for-business/deployment/disable-appcontrol-policies.md
View File

@ -15,15 +15,17 @@ ms.topic: how-to
There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies.
> [!IMPORTANT]
> **Signed App Control policy**
> **Signed Base App Control policy**
>
> If the policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
> If the base policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
>
> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \<UpdatePolicySigners\>.
>
> To take effect, this policy must be signed with a certificate included in the \<UpdatePolicySigners\> section of the original policy you want to replace.
>
> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.***
>
> Signed supplemental App Control policies can be removed in the same manner as unsigned policies, without the need to follow the aforementioned steps
Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer.
@ -35,9 +37,6 @@ To make a policy effectively inactive before removing it, you can first replace
4. Allow all COM objects. See [Allow COM object registration in an App Control policy](../design/allow-com-object-registration-in-appcontrol-policy.md#examples);
5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
> [!IMPORTANT]
> After you remove a policy, restart the computer for it to take effect. You can't remove App Control policies without restarting the device.
### Remove App Control policies using CiTool.exe
Beginning with the Windows 11 2022 Update, you can remove App Control policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the App Control policy you want to remove:
@ -46,7 +45,8 @@ Beginning with the Windows 11 2022 Update, you can remove App Control policies u
CiTool.exe -rp "{PolicyId GUID}" -json
```
Then restart the computer.
> [!NOTE]
> Beginning with the Windows 11 2024 update, unsigned policies can be removed using CiTool.exe without requiring a restart. In previous versions of Windows, however, a restart is required to complete the removal process.
### Remove App Control policies using MDM solutions like Intune

49
windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
View File

@ -72,11 +72,11 @@ Represents why verification failed, or if it succeeded.
| 19 | Binary is revoked based on its file hash. |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy. |
| 21 | Failed to pass App Control for Business policy. |
| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
| 22 | Not Isolated User Mode (IUM) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
| 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. |
| 25 | Anti-cheat policy violation. |
| 26 | Explicitly denied by WADC policy. |
| 26 | Explicitly denied by App Control policy. |
| 27 | The signing chain appears to be tampered/invalid. |
| 28 | Resource page hash mismatch. |
@ -127,35 +127,34 @@ Next, use the bit addresses and their values from the following table to determi
| 23 | `Enabled:Advanced Boot Options Menu` |
| 24 | `Disabled:Script Enforcement` |
| 25 | `Required:Enforce Store Applications` |
| 27 | `Enabled:Managed Installer` |
| 27 | `Enabled:Managed Installer` |
| 28 | `Enabled:Update Policy No Reboot` |
## Microsoft Root CAs trusted by Windows
The rule means trust anything signed by a certificate that chains to this root CA.
The Microsoft Root certificates can be allowed and denied in policy using 'WellKnown' rules. The mapping between the root's ASN1 encoded RSA PKCS#1 public key and the WellKnown values, expressed in hexidecimal, are listed below
| Root ID | Root Name |
| Root ID | Root Name | Root Public Key |
|---|----------|
| 0| None |
| 1| Unknown |
| 2 | Self-Signed |
| 3 | Microsoft Authenticode(tm) Root Authority |
| 4 | Microsoft Product Root 1997 |
| 5 | Microsoft Product Root 2001 |
| 6 | Microsoft Product Root 2010 |
| 7 | Microsoft Standard Root 2011 |
| 8 | Microsoft Code Verification Root 2006 |
| 9 | Microsoft Test Root 1999 |
| 10 | Microsoft Test Root 2010 |
| 11 | Microsoft DMD Test Root 2005 |
| 12 | Microsoft DMDRoot 2005 |
| 13 | Microsoft DMD Preview Root 2005 |
| 14 | Microsoft Flight Root 2014 |
| 15 | Microsoft Third Party Marketplace Root |
| 16 | Microsoft ECC Testing Root CA 2017 |
| 17 | Microsoft ECC Development Root CA 2018 |
| 18 | Microsoft ECC Product Root CA 2018 |
| 19 | Microsoft ECC Devices Root CA 2017 |
| 0| None | N/A |
| 1| Unknown | N/A |
| 2 | Self-Signed | N/A |
| 3 | Microsoft Authenticode(tm) Root Authority | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 14 | Microsoft Trusted Root Store | N/A |
| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.