deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

resolve merge conflict, add preview cu version

Browse Source
This commit is contained in:
Meghan Stewart
2023-04-19 08:42:35 -07:00
parent 4e070da436 c416bd124f
commit 54cd69c3d8
767 changed files with 13088 additions and 8383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/deployment/update/deploy-updates-intune.md
View File

@ -1,6 +1,6 @@
---
title: Deploy updates with Intune
description: Deploy Windows client updates with Intune
description: Deploy Windows client updates with Intune.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@ -8,7 +8,9 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.collection: highpri, tier2
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
---
@ -16,7 +18,7 @@ ms.date: 12/31/2017
**Applies to**
- Windows 10
- Windows 10
- Windows 11
See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates.

16
windows/deployment/update/includes/update-history.md Normal file
View File

@ -0,0 +1,16 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/24/2023
ms.localizationpriority: medium
---
<!--This file contains the current links for update history and release health-->
- [Windows 11, version 22H2 update history](https://support.microsoft.com/en-us/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce)
- [Windows 11, version 21H2 update history](https://support.microsoft.com/en-us/topic/windows-11-version-21h2-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9)
- [Windows 10 update history](https://support.microsoft.com/en-us/topic/windows-10-update-history-8127c2c6-6edf-4fdf-8b9f-0f7be1ef3562)
- [Windows release health](/windows/release-health/)
- [What's new in Windows](/windows/whats-new/)

12
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 08/18/2022
ms.date: 03/15/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. -->
@ -15,7 +15,15 @@ To enroll into Windows Update for Business reports, edit configuration settings,
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
**Log Analytics permissions**:
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data

1
windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
View File

@ -18,6 +18,7 @@ ms.localizationpriority: medium
- The Azure subscription
- The Log Analytics workspace
1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts.
> [!Note]
> The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.

3
windows/deployment/update/includes/wufb-reports-recommend.md
View File

@ -11,5 +11,4 @@ ms.localizationpriority: medium
<!--This file is shared by all Update Compliance v1 articles. -->
> [!Important]
> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology).
> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
> Update Compliance was [retired](/windows/whats-new/feature-lifecycle#terminology) on March 31, 2023 and the service has been [removed](/windows/whats-new/removed-features). Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). Support for Update Compliance ended on March 31, 2023. <!--7748874-->

2
windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
View File

@ -8,7 +8,7 @@ ms.topic: include
ms.date: 08/10/2022
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-help.md and the update/wufb-reports-configuration-script.md articles. Headings are driven by article context. -->
<!--This file is used by update/wufb-reports-configuration-script.md articles. It was dropped from updates/wufb-reports-help.md. Headings are driven by article context. -->
In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:

134
windows/deployment/update/optional-content.md
View File

@ -8,21 +8,18 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 03/15/2023
---
# Migrating and acquiring optional Windows content during updates
**Applies to**
- Windows 10
- Windows 11
***(Applies to: Windows 11 & Windows 10)***
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, its critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a media-based or task-sequence-based update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based update).
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
Neither approach contains the full set of Windows optional features that a users device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update
Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update.
## What is optional content?
@ -32,7 +29,7 @@ Optional content includes the following items:
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs
Optional content isnt included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, its released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for users data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
## Why is acquiring optional content challenging?
@ -40,121 +37,130 @@ The challenges surrounding optional content typically fall into two groups:
### Incomplete operating system updates
The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the users disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
Windows Setup needs access to the optional content. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content cant be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this latent acquisition.
Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*.
### User-initiated feature acquisition failure
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, more language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content cant be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.
The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits **Settings**, and attempts to install a second language, more language experience features, or other optional content. Again, since these features aren't in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can't be found, users are frustrated, and another help desk call could result. This pain point is sometimes referred to as *failure to acquire optional content*.
## Options for acquiring optional content
Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows client. In this table,
- Migration means it supports optional content migration during an update.
- Acquisition means it supports optional content acquisition (that is, initiated by the user).
- Media means it's applicable with media-based deployments.
- Servicing means applicable with servicing-based deployments.
|Method |Migration |Acquisition |Media | Servicing |
|---------|---------|---------|---------|--------------|
|Option 1: Use Windows Update | Yes | Yes | No | Yes |
|Option 2: Enable Dynamic Update | Yes | No | Yes |Yes |
|Option 3: Customize the Windows image before deployment | Yes | No | Yes |No |
|Option 4: Install language features during deployment | Partial | No | Yes | No |
|Option 5: Install optional content after deployment | Yes | No |Yes | Yes |
|Option 6: Configure alternative source for Features on Demand | No | Partial | Yes | Yes |
Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you're currently deploying Windows client. The following definitions are used in the table headings:
- **Migration**: Supports optional content migration during an update.
- **Acquisition**: Supports optional content acquisition (that is, initiated by the user).
- **Media**: Applicable with media-based deployments.
- **Servicing**: Applicable with servicing-based deployments.
| Method | Migration | Acquisition | Media | Servicing |
|---|---|---|---|---|
| Option 1: Use Windows Update | Yes | Yes | No | Yes |
| Option 2: Use WSUS with UUP Integration | Yes | Yes | No | Yes |
| Option 3: Enable Dynamic Update | Yes | No | Yes | Yes |
| Option 4: Customize the Windows image before deployment | Yes | No | Yes | No |
| Option 5: Install language features during deployment | Partial | No | Yes | No |
| Option 6: Install optional content after deployment | Yes | No |Yes | Yes |
| Option 7: Configure alternative source for Features on Demand | No | Partial | Yes | Yes |
### Option 1: Use Windows Update
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows client device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more info, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, and our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
### Option 2: Enable Dynamic Update
If youre not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
### Option 2: Use WSUS with UUP Integration
- Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
- Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
- Servicing stack updates: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
- Latest cumulative update: Installs the latest cumulative quality update.
- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
Starting in March 2023, UUP has been integrated with WSUS and Configuration Manager to bring the same optional content and acquisition benefits of Windows Update to on-premises management solutions. For example:
In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
- FODs and languages will automatically migrate for devices that perform an in-place update using an approved Windows 11, version 22H2 client feature update from WSUS. Similarly, updates such as the combined cumulative update, Setup updates, and Safe OS updates will be included and current based on the month that the feature update was approved.
Starting in Windows 10, version 2004, Dynamic Update can be configured with more options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it was not available during the feature update.
- Devices that upgrade using a local Windows image but use WSUS or Configuration Manager for approving the combined cumulative update will benefit by having support for optional content acquisition in the updated Windows OS, as well as OS self-healing.
One further consideration when using Dynamic Update is the affect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
For devices that arent connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
The content required to enable this will be acquired via WSUS or Configuration Manager, without client endpoints requiring internet connectivity. To enable this improvement, once per major Windows release, a significant download to the WSUS content directory or the distribution point is required. This includes packages to support FOD and language acquisition, along with packages to enable OS self-healing due to corruption. For more information, see [Plan your WSUS deployment](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment).
### Option 3: Customize the Windows Image before deployment
For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either dont have internet connectivity, or the connectivity is poor and so they cant enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
### Option 3: Enable Dynamic Update
If you're not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
- **Setup updates**: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
- **Safe OS updates**: Fixes for the *safe OS* that are used to update Windows recovery environment (WinRE).
- **Servicing stack updates**: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
- **Latest cumulative update**: Installs the latest cumulative quality update.
- **Driver updates**: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device isn't connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with `setupconfig.ini`. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it wasn't available during the feature update.
One further consideration when using Dynamic Update is the effect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Setup downloads Dynamic Update content using Delivery Optimization when available. For devices that aren't connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
### Option 4: Customize the Windows Image before deployment
For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don't have internet connectivity, or the connectivity is poor and so they can't enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
You can customize the Windows image in these ways:
- Applying a cumulative (quality) update
- Applying a cumulative update
- Applying updates to the servicing stack
- Applying updates to Setup.exe binaries or other files that Setup uses for feature updates
- Applying updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
- Applying updates to `Setup.exe` binaries or other files that setup uses for feature updates
- Applying updates for the *safe operating system* (SafeOS) that's used for the Windows recovery environment
- Adding or removing languages
- Adding or removing Features on Demand
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 4: Install language features during deployment
### Option 5: Install language features during deployment
A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using `setupconfig.ini`. For more information, see [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview).
When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasnt a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades dont migrate FOD and languages (unless Dynamic Update is enabled).
When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
This approach has some interesting benefits. The original Windows image doesnt need to be modified, possibly saving time and scripting.
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
### Option 5: Install optional content after deployment
### Option 6: Install optional content after deployment
This option is like Option 3 in that you customize the operating system image with more optional content after its deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the users device without loss of functionality.
This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality.
### Option 6: Configure an alternative source for optional content
### Option 7: Configure an alternative source for optional content
Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the [Specify settings for optional component installation and component repair](/windows/client-management/mdm/policy-csp-admx-servicing#servicing) Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting is not configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS).
- This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting isn't configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
See [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) for more information.
For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
## Learn more
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
- [Plan your WSUS deployment](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment)
- [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks)
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
## Sample scripts
Options 3 and 5 involve the most scripting. Sample scripts for Option 3 already exist, so well look at sample scripts for [Option 5](#option-5-install-optional-content-after-deployment): Install Optional Content after Deployment.
Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already exist, so we'll look at sample scripts for [Option 6](#option-6-install-optional-content-after-deployment): Install Optional Content after Deployment.
### Creating an optional content repository
To get started, well build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. Well configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
To get started, we'll build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We'll configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@ -715,7 +721,7 @@ Log ("Exiting")
### Adding optional content in the target operating system
After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if thats missing. Then, apply the latest monthly update as a final step.
After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step.
```powershell

76
windows/deployment/update/quality-updates.md
View File

@ -1,76 +0,0 @@
---
title: Monthly quality updates (Windows 10/11)
description: Learn about Windows monthlyquality updates to stay productive and protected.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Monthly quality updates
**Applies to**
- Windows 10
- Windows 11
Windows monthlyquality updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Quality updates are cumulative; they include all previously released fixes to guard against fragmentation of the operating system (OS). Reliability and vulnerability issues can occur when only a subset of fixes is installed.
This article provides details on the types of monthly quality updates that Microsoft provides, and how they help make the overall user experience simple and consistent.
## Quality updates
Quality updates are provided on a monthly schedule, as two types of releases:
1. Non-security releases
2. Combined security + non-security releases
Non-security releases provide IT admins an opportunity for early validation of that content prior to the combined release. Releases can also be provided outside of the monthly schedule when there is an exceptional need.
### B releases
Most people are familiar with what is commonly referred to as **Patch Tuesday** or **Update Tuesday**.These updates are released on the second Tuesday of each month, and are known as the**B release** (where “**B**”refers to the second week in the month). B releases are typically published at 10:00 AM Pacific Time (PST/PDT).
Because they are cumulative, B releases include both new and previously released security fixes, along with non-security content introduced in the prior months **Preview C release** (see the next section). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. B releases are mandatory.
Channels for availability of B releases include: Windows Update, Windows Server Update Services (WSUS), and the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
### C releases
IT admins have the option to test and validate production-quality releases ahead of the planned B release for the following month. These updates are optional, cumulative, non-security preview releases known as **C releases**. These releases are only offered to the most recent, supported versions of Windows. For example, new features like [News and Interests](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/group-configuration-news-and-interests-on-the-windows-taskbar/ba-p/2281005) might initially be deployed in the prior months C preview release, then ship in the following months B release.
For customers to access the C releases, they must navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
IT admins can also validate fixes and features in a preview update by leveraging the [Windows Insider Program for Business](https://insider.windows.com/for-business) or via the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
### OOB releases
Out-of-band (OOB) releases might be provided to fix a recently identified issue or vulnerability. They are used in atypical cases when an issue is detected and cannot wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices.
Some key considerations about OOB releases include:
- OOB releases are always cumulative, and they supersede any prior B or C release.
- The OOB releases will generally require IT admins to deploy off-cycle.
- Some OOB releases are classified as critical and will automatically be pushed to Windows Server Update Services and Windows Update for Business, just like the B releases.
- Some OOB releases are non-critical and only go to the Microsoft Update Catalog for users or organizations to voluntarily seek out the update.
## More information
For additional details about the different types of Windows updates like critical, security, drivers, service packs, and more, please see the [Description of the standard terminology used to describe Microsoft software updates](/troubleshoot/windows-client/deployment/standard-terminology-software-updates) and [Introducing a new deployment service for driver and firmware updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-a-new-deployment-service-for-driver-and-firmware/ba-p/2176942).
## Related topics
- [Overview of Windows as a service](waas-overview.md)
- [Update Windows 10 in the enterprise](index.md)
- [Quick guide to Windows as a service](waas-quick-start.md)
- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
- [Manage device restarts after updates](waas-restart.md)

114
windows/deployment/update/release-cycle.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Update release cycle for Windows clients
description: Learn about the release cycle ofupdates for Windows clients to stay productive and protected.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 03/23/2023
---
# Update release cycle for Windows clients
<!--7696511-->
***(Applies to: Windows 11 & Windows 10)***
Windows updates help you to stay productive and protected. They provide your users and IT administrators with the security fixes they need, and protect devices so that unpatched vulnerabilities can't be exploited. Updates for the Windows client OS are typically cumulative. They include all previously released fixes to guard against fragmentation of the operating system. Reliability and vulnerability issues can occur when only a subset of fixes is installed.
This article provides details on the types of updates that Microsoft provides, and how they help make the overall user experience simple and consistent.
## Types of update releases
|Release type | Description | Release cycle |
|---|---|---|
| [Monthly security update release](#monthly-security-update-release)| A cumulative update release that includes both security and non-security content | Second Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Optional non-security preview release](#optional-non-security-preview-release)| An optional cumulative update release that's typically used for early validation of the monthly security update release| Fourth Tuesday of each month, typically published at 10:00 AM Pacific Time (PST/PDT) |
| [Out-of-band (OOB) release](#oob-releases) | Resolves a recently identified issue or vulnerability | As needed |
| [Annual feature update](#annual-feature-updates) | An update with new features and enhancements that also changes the Windows version | Once a year in the second half of the calendar year |
| [Continuous innovation for Windows 11](#continuous-innovation-for-windows-11)| Introduces new features and enhancements for Windows 11 | Periodically included in an optional non-security preview release then in the monthly security update releases |
## Monthly security update release
Most people are familiar with the **monthly security update release**. The **monthly security update release** is published on the second Tuesday of each month, typically at 10:00 AM Pacific Time (PST/PDT). This release might commonly be referred to as:
- Patch Tuesday
- Update Tuesday
- B week releases (meaning the second week of the month)
- Quality updates
- Security updates
- Latest cumulative update (LCU)
**Monthly security update releases** are cumulative. The release includes both new and previously released security fixes, along with non-security content introduced in the prior month's [**Optional non-security preview release**](#optional-non-security-preview-release). These updates help keep Windows devices secure and compliant by deploying stability fixes and addressing security vulnerabilities. Most organizations consider monthly security update releases as mandatory.
Monthly security update releases are available through the following channels:
- Windows Update
- Windows Server Update Services (WSUS)
- The [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx)
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
## Optional non-security preview release
**Optional non-security preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, non-security preview releases. New features might initially be deployed in the prior month's **optional non-security preview release**, then ship in the following **monthly security update release**. These releases are only offered to the most recent, supported versions of Windows.
**Optional non-security preview releases** might commonly be referred to as:
- C or D week releases (meaning the third or fourth week of the month)
- Preview updates
- Preview CU
- LCU preview
> [!Important]
> Starting in April 2023, all **optional non-security preview releases** will be released on the fourth Tuesday of the month. This change in release cadence gives admins a consistent time cycle for testing and validating fixes and features.
To access the optional non-security preview release:
- Navigate to**Settings** > **Update & Security** > **Windows Update**and select**Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
Some key considerations about OOB releases include:
- OOB releases are always cumulative.
- OOB releases supersede any prior monthly security update and optional non-security preview release.
- OOB releases generally require IT admins to deploy off-cycle.
- Some OOB releases are classified as critical.
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as non-critical.
- Non-critical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
## Continuous innovation for Windows 11
Starting with Windows 11, version 22H2, new features and enhancements are introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an **optional non-security preview release** and gradually rolled out to unmanaged clients. These new features are released later as part of a **monthly security update release**.
Some of the new features may be disruptive to organizations. By default, these select features are turned off temporarily for all managed devices until the next annual feature update is installed. In this scenario, a device is considered managed if it uses one of the following to determine which updates to install:
- Windows Update for Business
- Devices that have updates managed Microsoft Intune use Windows Update for Business
- WSUS
- Devices that have updates managed by Configuration Manager use WSUS
Features that are turned off by default are listed in the KB article for the monthly cumulative update. If you want to enable these features, there's a client policy that allows admins to **Enable features introduced via servicing that are off by default**. For more information about this policy, see [Enable features introduced via servicing that are off by default](waas-configure-wufb.md#enable-features-introduced-via-servicing-that-are-off-by-default).
## Annual feature updates
Annual feature updates are released in the second half of the calendar year. These updates are typically cumulative and include all previously released fixes. They also include new features and enhancements. The annual feature update marks the start of the support lifecycle:
- 24 months of support for Home and Pro editions of Windows
- 36 months of support for Enterprise and Education editions
For more information, see [Windows lifecycle FAQ](/lifecycle/faq/windows).
## Release information
For more information about specific releases, see:
<!--Using include for update history and release health links-->
[!INCLUDE [Windows update history and release health links](./includes/update-history.md)]

18
windows/deployment/update/safeguard-holds.md
View File

@ -1,6 +1,6 @@
---
title: Safeguard holds
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
@ -8,7 +8,9 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.collection: highpri, tier2
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
---
@ -19,11 +21,11 @@ ms.date: 12/31/2017
- Windows 10
- Windows 11
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply safeguard holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use safeguard holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe effect (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround isn't immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The lifespan of safeguard holds varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
The safeguard holds lifespan varies depending on the time required to investigate and fix an issue. During this time, Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the safeguard hold. Once we release the safeguard hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Windows Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
@ -31,19 +33,19 @@ IT admins managing updates using the [Windows Update for Business deployment ser
## Am I affected by a safeguard hold?
IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you insight into the safeguard holds that are preventing devices from updating or upgrading.
IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you with insight into the safeguard holds that are preventing devices from updating or upgrading.
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find more details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we will release the safeguard hold and the update can resume safely.
This message means that the device is protected by one or more safeguard holds. When the issue is resolved and the update is safe to install, we'll release the safeguard hold and the update can resume safely.
## What can I do?
We recommend that you do not attempt to manually update until issues have been resolved and holds released.
We recommend that you don't attempt to manually update until issues have been resolved and holds released.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.

10
windows/deployment/update/servicing-stack-updates.md
View File

@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: high
ms.author: mstewart
manager: aaroncz
ms.collection: highpri, tier2
ms.topic: article
ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.technology: itpro-updates
ms.date: 12/31/2017
---
@ -39,9 +41,9 @@ Servicing stack update are released depending on new issues or vulnerabilities.
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
## Is there any special guidance?

2
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Manually Configuring Devices for Update Compliance

2
windows/deployment/update/update-compliance-configuration-mem.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Configuring Microsoft Intune devices for Update Compliance

2
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.date: 06/16/2022
ms.date: 04/01/2023
ms.technology: itpro-updates
---

2
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Delivery Optimization in Update Compliance

2
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Feature Update Status

6
windows/deployment/update/update-compliance-get-started.md
View File

@ -6,9 +6,11 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: highpri, tier2
ms.collection:
- highpri
- tier2
ms.topic: article
ms.date: 05/03/2022
ms.date: 04/01/2023
ms.technology: itpro-updates
---

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Monitor Windows Updates with Update Compliance

14
windows/deployment/update/update-compliance-need-attention.md
View File

@ -7,7 +7,7 @@ ms.author: mstewart
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Needs attention!
@ -22,7 +22,7 @@ ms.date: 12/31/2017
![Needs attention section.](images/UC_workspace_needs_attention.png)
The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section.
The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within breakdown the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but don't fit within any other main section.
> [!NOTE]
> The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up.
@ -32,15 +32,15 @@ The different issues are broken down by Device Issues and Update Issues:
## Device Issues
* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client.
* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it's running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client.
## Update Issues
* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure.
* **Cancelled**: This issue occurs when a user cancels the update process.
* **Canceled**: This issue occurs when a user cancels the update process.
* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version.
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days.
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. This might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
* **Progress stalled:** This issue occurs when an update is in progress, but hasn't completed over a period of 7 days.
Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
@ -49,4 +49,4 @@ Selecting any of the issues will take you to a [Log Analytics](/azure/log-analyt
## List of Queries
The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that didn't fit within any specific section or were listed to serve as a good starting point for modification into custom queries.

2
windows/deployment/update/update-compliance-privacy.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Privacy in Update Compliance

2
windows/deployment/update/update-compliance-safeguard-holds.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Safeguard Holds

2
windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# WaaSDeploymentStatus

2
windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# WaaSInsiderStatus

2
windows/deployment/update/update-compliance-schema-waasupdatestatus.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# WaaSUpdateStatus

2
windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# WUDOAggregatedStatus

2
windows/deployment/update/update-compliance-schema-wudostatus.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# WUDOStatus

2
windows/deployment/update/update-compliance-schema.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Update Compliance Schema

2
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Security Update Status

2
windows/deployment/update/update-compliance-using.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 04/01/2023
---
# Use Update Compliance

6
windows/deployment/update/waas-configure-wufb.md
View File

@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| GPO for Windows 10, version 1607 or later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable features introduced via servicing that are off by default
## Enable features introduced via servicing that are off by default
<!--6544872-->
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
@ -221,8 +221,8 @@ The features that are turned off by default from servicing updates will be enabl
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
| GPO for Windows 11, version 22H2 and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for Windows 11, version 22H2 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl |
| MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl |
## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later

6
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---

6
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -6,8 +6,10 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.topic: article
ms.collection: highpri, tier2
ms.topic: overview
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---

6
windows/deployment/update/waas-overview.md
View File

@ -6,8 +6,10 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.topic: overview
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---

8
windows/deployment/update/waas-restart.md
View File

@ -1,13 +1,15 @@
---
title: Manage device restarts after updates (Windows 10)
title: Manage device restarts after updates
description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---

16
windows/deployment/update/waas-wu-settings.md
View File

@ -6,10 +6,12 @@ ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 03/28/2023
ms.date: 04/25/2023
---
# Manage additional Windows Update settings
@ -32,8 +34,8 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#bkmk_display-name) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
| | [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 <!--7679187-->|
| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
| [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later <!--7679187-->|
>[!IMPORTANT]
@ -252,7 +254,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
## <a name="bkmk_display-name"> </a> Display organization name in Windows Update notifications
## Display organization name in Windows Update notifications
<!--6286260-->
When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
@ -282,7 +284,7 @@ New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWO
```
## <a name="allow-windows-update-before-initial-sign-in"> </a> Allow Windows updates to install before initial user sign-in
*(Starting in Windows 11, version 22H2)* <!--7679187-->
*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or later)* <!--7679187-->
On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.

6
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -5,9 +5,11 @@ ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
ms.collection: highpri, tier2
ms.collection:
- highpri
- tier2
manager: aaroncz
ms.topic: article
ms.topic: how-to
ms.technology: itpro-updates
ms.date: 02/28/2023
---

6
windows/deployment/update/windows-update-logs.md
View File

@ -5,8 +5,10 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.topic: troubleshooting
ms.collection:
- highpri
- tier2
ms.technology: itpro-updates
ms.date: 12/31/2017
---

166
windows/deployment/update/wufb-reports-do.md Normal file
View File

@ -0,0 +1,166 @@
---
title: Delivery Optimization data in Windows Update for Business reports
manager: aaroncz
description: Provides information about Delivery Optimization data in Windows Update for Business reports
ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 04/12/2023
ms.technology: itpro-updates
---
# Delivery Optimization data in Windows Update for Business reports
<!--7715481-->
***(Applies to: Windows 11 & Windows 10)***
[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement.
Windows Update for Business reports provides Delivery Optimization information in the following places:
- The Windows Update for Business reports [workbook](wufb-reports-workbook.md)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md)
Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices.
## Delivery Optimization terms
Windows Update for Business reports uses the following Delivery Optimization terms:
- **Peer**: A device in the solution
- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes:
- LAN (1)
- Group (2)
- Internet (3)
- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes:
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is determined by the number of devices configured to use peering.
- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is determined by the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'.
- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN).
- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded.
- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded.
- **ISP**: ISP is determined based on the ISP delivering the maximum bytes to the device.
## Calculations for Delivery Optimization
There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it:
**Efficiency (%) Calculations**:
- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) /
(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache)
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
- TotalBytes = BytesFromCDN + BytesFromEnterpriseCache + BytesFromPeers + BytesFromGroupPeers
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- BytesFromCDN = BytesFromCDN
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- BytesFromPeers = BytesFromLAN
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
- BytesFromGroupPeers = BytesFromGroupPeers
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
- BytesFromCache = BytesFromCache
- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table
**Volume Calculations**:
- Volume by P2P = BytesFromPeers + BytesFromGroupPeers
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by MCC = BytesFromCache
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by CDN = BytesFrom CDN
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
## Mapping GroupID
In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of decoded to encoded GroupIDs using the following PowerShell example:
```powershell
$text = "<myEncodedGroupID>" ;
$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64"
```
In addition, you can see both the encoded and decoded GroupIDs in the Delivery Optimization logs.
```powershell
Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log
```
The below two lines are together in verbose logs:
```text
2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **<myEncodedGroupId>**
2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **<myDecodedGroupId>**
```
## Sample queries
You can use the data in [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md)
and [UCDOStatus](wufb-reports-schema-ucdostatus.md) to create your own queries. Create your custom queries using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), but note that Windows Update for Business reports uses Azure Monitor, so some operators aren't supported. The KQL documentation specifies which operators aren't supported by Azure Monitor or if they have different functionality. For more information about KQL in Azure Monitor, see [Log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview). The following queries are examples of how you can use the data:
### Example UCDOAggregatedStatus table query
The following query is used to display the total bandwidth savings % value:
```kusto
UCDOAggregatedStatus| where TimeGenerated == _SnapshotTime
| extend LocalSourceBytes = BytesFromCache + BytesFromGroupPeers + BytesFromPeers
| summarize LocalSources_BWSAV = round((sum(0.0 + LocalSourceBytes)/ sum(LocalSourceBytes+BytesFromCDN)) * 100.0 ,2)
| extend Title = "BW SAV%" , SubTitle = "Local Sources"
```
### Example UCDOStatus table query
The following query is used to display the Top 10 GroupIDs:
```kusto
UCDOStatus | where TimeGenerated == _SnapshotTime
| summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) ,
DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc
| extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache)
| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0
| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 ,
VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers
| extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN
| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount
```
## Frequency Asked Questions
- **What time period does the Delivery Optimization data include?**
Data is generated/aggregated for the last 28 days for active devices.
- **Data is showing as 'Unknown', what does that mean?**
You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty.
- **How are the 'Top 10' groups identified?**
The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP).
- **The GroupIDs don't look familiar, why are they different?**
The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above.
- **How can I see data for device in the office vs. out of the office?**
Today, we don't have a distinction for data that was downloaded by location.
- **What does the data in UCDOStatus table represent?**
A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType).
- **What does the data in UCDOAggregatedStatus table represent?**
A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType).

1
windows/deployment/update/wufb-reports-enable.md
View File

@ -69,6 +69,7 @@ Use one of the following methods to enroll into Windows Update for Business repo
> [!Tip]
> If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
##### <a name="bkmk_admin-center"></a> Enroll through the Microsoft 365 admin center
<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->

7
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 02/14/2023
ms.date: 03/15/2023
ms.technology: itpro-updates
---
@ -30,11 +30,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
**Log Analytics permissions**:
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
## Operating systems and editions
- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions

4
windows/deployment/update/wufb-reports-workbook.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 11/15/2022
ms.date: 04/12/2023
ms.technology: itpro-updates
---
@ -173,7 +173,7 @@ The **Device status** group for driver updates contains the following items:
## <a name="bkmk_do"></a> Delivery Optimization
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. For more information, see [Delivery Optimization data in Windows Update for Business reports](/windows/deployment/update/waas-delivery-optimization).
At the top of the report, tiles display the following information: