diff --git a/.openpublishing.build.ps1 b/.openpublishing.build.ps1
deleted file mode 100644
index dd60c684ef..0000000000
--- a/.openpublishing.build.ps1
+++ /dev/null
@@ -1,18 +0,0 @@
-param(
- [string]$buildCorePowershellUrl = "https://opbuildstoragesandbox2.blob.core.windows.net/opps1container/.openpublishing.buildcore.ps1",
- [string]$parameters
-)
-# Main
-$errorActionPreference = 'Stop'
-
-# Step-1 Download buildcore script to local
-echo "download build core script to local with source url: $buildCorePowershellUrl"
-$repositoryRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition
-$buildCorePowershellDestination = "$repositoryRoot\.openpublishing.buildcore.ps1"
-Invoke-WebRequest $buildCorePowershellUrl -OutFile $buildCorePowershellDestination
-
-# Step-2: Run build core
-echo "run build core script with parameters: $parameters"
-$arguments = "-parameters:'$parameters'"
-Invoke-Expression "$buildCorePowershellDestination $arguments"
-exit $LASTEXITCODE
\ No newline at end of file
diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 09479f4eca..5d117ed99e 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -1660,6 +1660,26 @@
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-enterprise-faq-itpro",
"redirect_document_id": false
},
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-appendix.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-deploy.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-prerequisites.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/deployment/do/mcc-enterprise-update-uninstall.md",
+ "redirect_url": "/windows/deployment/do/mcc-ent-early-preview",
+ "redirect_document_id": false
+ },
{
"source_path": "windows/deployment/planning/windows-10-deployment-considerations.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/planning/windows-10-deployment-considerations",
diff --git a/education/windows/suspcs/reference.md b/education/windows/suspcs/reference.md
index 278344c047..3cec502ea5 100644
--- a/education/windows/suspcs/reference.md
+++ b/education/windows/suspcs/reference.md
@@ -1,8 +1,8 @@
---
title: Set up School PCs app technical reference overview
-description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
+description: Describes the purpose of the Set up School PCs app for Windows devices.
ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -12,12 +12,12 @@ appliesto:
The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The app, which is available for Windows 10 version 1703 and later, configures and saves school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs.
-If your school uses Microsoft Entra ID or Office 365, the Set up
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up
School PCs app will create a setup file. This file joins the PC to your Microsoft Entra tenant. The app also helps set up PCs for use with or without Internet connectivity.
## Join devices to Microsoft Entra ID
-If your school uses Microsoft Entra ID or Office 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
+If your school uses Microsoft Entra ID or Microsoft 365, the Set up School PCs app creates a setup file that joins your PC to your Microsoft Entra ID tenant.
The app also helps set up PCs for use with or without Internet connectivity.
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
index 4251c9ab44..e9843249a5 100644
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -1,7 +1,7 @@
---
title: DeclaredConfiguration CSP
description: Learn more about the DeclaredConfiguration CSP.
-ms.date: 09/12/2024
+ms.date: 11/05/2024
---
@@ -45,6 +45,8 @@ The following list shows the DeclaredConfiguration configuration service provide
- [Results](#hostinventoryresults)
- [{DocID}](#hostinventoryresultsdocid)
- [Document](#hostinventoryresultsdociddocument)
+ - [ManagementServiceConfiguration](#managementserviceconfiguration)
+ - [ConflictResolution](#managementserviceconfigurationconflictresolution)
@@ -728,6 +730,93 @@ The Document node's value is an XML based document containing a collection of se
+
+## ManagementServiceConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device
+ ManagementServiceConfiguration
+
+
+
+ The ManagementServiceConfiguration node that is used to control certain Windows Declared Configuration behavior
+
+
+
+
+
+
+
+
+
+
+ ConflictResolution
+
+
+
+ This node controls to turn on conflict resolution on and off.
+
+
+
+
+
+
+
+
+
+
+ 0
+ The conflict resolution is OFF.
+
+
+ 1
+ The conflict resolution is ON.
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 76508deef5..b524fe09eb 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
---
@@ -325,7 +325,7 @@ Note if a custom managed local administrator account name is specified in this s
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@@ -387,7 +387,7 @@ If not specified, this setting defaults to True.
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index d32a646434..8924f4d542 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
---
@@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the L
The allowable settings are:
0=Disabled (password will not be backed up)
-1=Backup the password to Azure AD only
+1=Backup the password to Microsoft Entra ID only
2=Backup the password to Active Directory only
If not specified, this setting will default to 0.
@@ -103,7 +103,7 @@ If not specified, this setting will default to 0.
1
- Backup the password to Azure AD only
+ Backup the password to Microsoft Entra ID only
2
@@ -126,7 +126,7 @@ If not specified, this setting will default to 0.
If not specified, this setting will default to 30 days
-This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
+This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
This setting has a maximum allowed value of 365 days.
@@ -154,7 +154,7 @@ This setting has a maximum allowed value of 365 days.
1
- BackupDirectory configured to Azure AD
+ BackupDirectory configured to Microsoft Entra ID
@@ -442,7 +442,7 @@ If not specified, this setting defaults to True.
True
Use this setting to configure whether the password is encrypted before being stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
@@ -499,7 +499,7 @@ If not specified, this setting defaults to True.
Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
-This setting is ignored if the password is currently being stored in Azure.
+This setting is ignored if the password is currently being stored in Microsoft Entra ID.
If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 2b322e0891..3dcbc10721 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,7 +1,7 @@
---
title: PassportForWork CSP
description: Learn more about the PassportForWork CSP.
-ms.date: 08/06/2024
+ms.date: 11/05/2024
---
@@ -265,7 +265,7 @@ If the user forgets their PIN, it can be changed to a new PIN using the Windows
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device
- 99.9.99999
+ 10.0.22621
1.6
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index ebfe368e86..ea1f4f9b24 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Policies supported by Windows 10 Team
description: Learn about the policies supported by Windows 10 Team.
-ms.date: 08/06/2024
+ms.date: 11/05/2024
---
@@ -417,6 +417,7 @@ This article lists the policies that are applicable for the Surface Hub operatin
- [ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [ForceTouchKeyboardDockedState](policy-csp-textinput.md#forcetouchkeyboarddockedstate)
+- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
- [TouchKeyboardDictationButtonAvailability](policy-csp-textinput.md#touchkeyboarddictationbuttonavailability)
- [TouchKeyboardEmojiButtonAvailability](policy-csp-textinput.md#touchkeyboardemojibuttonavailability)
- [TouchKeyboardFullModeAvailability](policy-csp-textinput.md#touchkeyboardfullmodeavailability)
diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md
index 2c62565783..57e70841a5 100644
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 09/27/2024
+ms.date: 11/05/2024
---
@@ -29,10 +29,17 @@ This article lists the policies that are applicable for Windows Insider Preview
- [EnablePhysicalDeviceAccessOnErrorScreens](clouddesktop-csp.md#userenablephysicaldeviceaccessonerrorscreens)
- [EnableBootToCloudSharedPCMode](clouddesktop-csp.md#deviceenableboottocloudsharedpcmode)
+## Connectivity
+
+- [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
+- [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
+- [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
+
## DeclaredConfiguration CSP
- [Document](declaredconfiguration-csp.md#hostcompletedocumentsdociddocument)
- [Abandoned](declaredconfiguration-csp.md#hostcompletedocumentsdocidpropertiesabandoned)
+- [ConflictResolution](declaredconfiguration-csp.md#managementserviceconfigurationconflictresolution)
## DeliveryOptimization
@@ -52,6 +59,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [MdmAgentInstalled](devicepreparation-csp.md#mdmprovidermdmagentinstalled)
- [RebootRequired](devicepreparation-csp.md#mdmproviderrebootrequired)
+## Display
+
+- [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
+
## DMClient CSP
- [DiscoveryEndpoint](dmclient-csp.md#deviceproviderprovideridlinkedenrollmentdiscoveryendpoint)
@@ -97,7 +108,6 @@ This article lists the policies that are applicable for Windows Insider Preview
## PassportForWork CSP
-- [EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys)
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Reboot CSP
@@ -112,6 +122,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
+## TextInput
+
+- [TouchKeyboardControllerModeAvailability](policy-csp-textinput.md#touchkeyboardcontrollermodeavailability)
+
## Update
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 1a15adf8c0..5ed3127e3f 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,7 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 11/05/2024
---
@@ -11,6 +11,8 @@ ms.date: 04/10/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -584,6 +586,104 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
+
+## DisableCellularOperatorSettingsPage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device [!IMPORTANT]
-> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
+### Taskbar configuration and policy refresh
+
+Depending on the method you use to configure the taskbar, the configuration is reapplied at different intervals. When the taskbar configuration is reapplied, user changes are overwritten.
+
+| Configuration method | Reapplied interval |
+|--|--|
+| Configuration service provider (CSP) | Every 8 hours or based on the [ConfigRefresh](/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridconfigrefresh) interval. |
+| Provisioning package (PPKG) | Each time the `explorer.exe` process restarts. |
+| Group policy (GPO) | In case of a group policy change. |
> [!CAUTION]
-> The use of the `Import-StartLayout` PowerShell cmdlet to provision the Taskbar layout is no longer supported in Windows 11. The only supported configuration in Windows 11 is to use a provisioning package.
+> The use of the `Import-StartLayout` PowerShell cmdlet to provision the Taskbar layout is no longer supported in Windows 11.
+
::: zone pivot="windows-10"
>[!NOTE]
@@ -78,13 +86,13 @@ Here you can find an example of taskbar layout that you can use as a reference:
You can change the apps pinned to the taskbar by modifying the `` node.
1. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
- - ``: Select this option for UWP apps. Add the *AUMID* of the UWP app
- - ``: Select this option for desktop apps. Add the *Desktop Application ID* or the *Desktop Application Link Path* of the desktop app
+ - ``: Select this option for UWP apps. Add the *AUMID* of the UWP app.
+ - ``: Select this option for desktop apps. Add the *Desktop Application ID* or the *Desktop Application Link Path* of the desktop app.
1. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
- - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned
- - ``: Unpins the default apps. Only the apps you add are pinned. If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned
-1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region
-1. Save the file
+ - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
+ - ``: Unpins the default apps. Only the apps you add are pinned. If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned.
+1. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
+1. Save the file.
For practical examples of how to add, remove, or replace pinned apps, see the following sections:
@@ -147,8 +155,8 @@ In the following XML example, two regions are added: `US|UK` and `DE|FR|IT`:
[!INCLUDE [example](includes/example-region.md)]
-- If the `` node has region matching the one configured on the device, then the configuration applies
-- If the `` node doesn't have a region matching the one configured on the device, then the first `` node without region applies
+- If the `` node has region matching the one configured on the device, then the configuration applies.
+- If the `` node doesn't have a region matching the one configured on the device, then the first `` node without region applies.
> [!NOTE]
> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
@@ -212,15 +220,15 @@ After the taskbar layout is applied, the users must sign out and sign in again t
On a clean install of Windows, if you apply a taskbar layout, the following apps are pinned to the taskbar:
-- Any default apps you don't remove
-- Apps that you specifically pin in the XML file
+- Any default apps you don't remove.
+- Apps that you specifically pin in the XML file.
On a Windows OS upgrade, apps are already pinned to the taskbar. The taskbar layout applies the following logic:
-- If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps
-- If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned
-- If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps
-- New apps in updated layout file are pinned after the user's pinned apps
+- If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps.
+- If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned.
+- If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps.
+- New apps in updated layout file are pinned after the user's pinned apps.
If you apply the taskbar configuration to a clean install or an update, users can still:
diff --git a/windows/configuration/taskbar/policy-settings.md b/windows/configuration/taskbar/policy-settings.md
index 72ca73538b..ed1b04da64 100644
--- a/windows/configuration/taskbar/policy-settings.md
+++ b/windows/configuration/taskbar/policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Taskbar policy settings
-description: Learn about the policy settings to configure the Windows taskbar.
+title: List of the Policy Settings To Configure the Windows Taskbar
+description: Learn about the CSP and GPO policy settings to configure the Windows taskbar.
ms.topic: reference
-ms.date: 04/17/2024
+ms.date: 11/07/2024
appliesto:
zone_pivot_groups: windows-versions-11-10
---
diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md
index c6d5ded3aa..351c262871 100644
--- a/windows/configuration/taskbar/xsd.md
+++ b/windows/configuration/taskbar/xsd.md
@@ -1,8 +1,8 @@
---
-title: Taskbar XML Schema Definition (XSD)
-description: Taskbar XSD reference article.
+title: Windows Taskbar XML Schema Definition (XSD)
+description: Reference article about the Taskbar XML schema definition (XSD).
ms.topic: reference
-ms.date: 02/15/2024
+ms.date: 11/07/2024
---
# Taskbar XML Schema Definition (XSD)
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index 31420e8890..858a5e63bf 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -1,6 +1,6 @@
---
title: Customize Windows PE boot images
-description: This article describes how to customize a Windows PE (WinPE) boot image including updating it with the latest cumulative update, adding drivers, and adding optional components.
+description: This article describes how to customize a Windows PE (WinPE) boot image, including updating it with the latest cumulative update, adding drivers, and adding optional components.
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
@@ -23,13 +23,13 @@ appliesto:
The Windows PE (WinPE) boot images that are included with the Windows ADK have a minimal number of features and drivers. However the boot images can be customized by adding drivers, optional components, and applying the latest cumulative update.
-Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
+Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
> [!TIP]
>
> The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
-This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
+This walkthrough describes how to customize a Windows PE boot image, including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
## Prerequisites
@@ -332,7 +332,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
**Example**:
```powershell
- Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose
+ Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose
```
These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.
@@ -668,7 +668,7 @@ For more information, see [copy](/windows-server/administration/windows-commands
This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the Windows ADK when creating bootable media via the Windows ADK. When these files are updated in the Windows ADK, products that use the Windows ADK to create bootable media, such as **Microsoft Deployment Toolkit (MDT)**, also have access to the updated bootmgr boot files.
-In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
+In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
> [!TIP]
>
@@ -839,7 +839,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
---
1. Once the export has completed:
-
+
1. Delete the original updated boot image:
### [:::image type="icon" source="images/icons/powershell-18.svg"::: **PowerShell**](#tab/powershell)
@@ -1295,4 +1295,4 @@ For more information, see [Windows Server 2012 R2 Lifecycle](/lifecycle/products
- [Create bootable Windows PE media: Update the Windows PE add-on for the Windows ADK](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#update-the-windows-pe-add-on-for-the-windows-adk)
- [Update Windows installation media with Dynamic Update: Update WinPE](/windows/deployment/update/media-dynamic-update#update-winpe)
-- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d?preview=true#updatebootable5025885)
+- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932: Updating bootable media](https://support.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index fe1b2a0cf3..b9d7757f89 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -33,21 +33,45 @@
items:
- name: What is Microsoft Connected Cache?
href: waas-microsoft-connected-cache.md
- - name: MCC for Enterprise and Education
+ - name: Microsoft Connected Cache for Enterprise and Education
items:
- - name: MCC for Enterprise and Education Overview
+ - name: Connected Cache for Enterprise and Education overview
href: mcc-ent-edu-overview.md
- name: Requirements
- href: mcc-enterprise-prerequisites.md
- - name: Deploy Microsoft Connected Cache
- href: mcc-enterprise-deploy.md
- - name: Update or uninstall MCC
- href: mcc-enterprise-update-uninstall.md
- - name: Appendix
- href: mcc-enterprise-appendix.md
- - name: MCC for ISPs
+ href: mcc-ent-prerequisites.md
+ - name: How-to guides
+ items:
+ - name: Create and configure Connected Cache resources and cache nodes
+ href: mcc-ent-create-resource-and-cache.md
+ - name: Deploy Connected Cache nodes to host machines
+ items:
+ - name: Deploy Connected Cache to Linux
+ href: mcc-ent-deploy-to-linux.md
+ - name: Deploy Connected Cache to Windows
+ href: mcc-ent-deploy-to-windows.md
+ - name: Use Azure CLI to manage Connected Cache
+ href: mcc-ent-manage-using-cli.md
+ - name: Verify Connected Cache node functionality
+ href: mcc-ent-verify-cache-node.md
+ - name: Monitor Connected Cache nodes
+ href: mcc-ent-monitoring.md
+ - name: Update Connected Cache nodes
+ href: mcc-ent-update-cache-node.md
+ - name: Uninstall Connected Cache nodes
+ href: mcc-ent-uninstall-cache-node.md
+ - name: Resources
+ items:
+ - name: Frequent Asked Questions
+ href: mcc-ent-faq.yml
+ - name: Troubleshooting
+ href: mcc-ent-troubleshooting.md
+ - name: Microsoft Connected Cache for Enterprise and Education early preview
+ href: mcc-ent-early-preview.md
+ - name: Release notes
+ href: mcc-ent-release-notes.md
+ - name: Microsoft Connected Cache for ISPs
items:
- - name: MCC for ISPs Overview
+ - name: Connected Cache for ISPs Overview
href: mcc-isp-overview.md
- name: How-to guides
items:
@@ -67,9 +91,8 @@
href: mcc-isp-vm-performance.md
- name: Support and troubleshooting
href: mcc-isp-support.md
- - name: MCC for ISPs (early preview)
+ - name: Connected Cache for ISPs (early preview)
href: mcc-isp.md
- name: Endpoints for Microsoft Connected Cache content and services
href: delivery-optimization-endpoints.md
-
diff --git a/windows/deployment/do/delivery-optimization-configure.md b/windows/deployment/do/delivery-optimization-configure.md
index cfe43ce385..7722670c70 100644
--- a/windows/deployment/do/delivery-optimization-configure.md
+++ b/windows/deployment/do/delivery-optimization-configure.md
@@ -35,7 +35,7 @@ Use this checklist to guide you through different aspects when modifying Deliver
* System resources
* Improve P2P efficiencies
-1. Using Connected Cache (MCC)
+1. Using Microsoft Connected Cache
1. Choose where to set Delivery Optimization policies
## 1. Prerequisites to allow Delivery Optimization communication
@@ -189,7 +189,7 @@ Regardless of P2P, consider setting the following policies to avoid network disr
> [!NOTE]
> The absolute policies are recommended in low bandwidth environments.
-## 3. Using Connected Cache (MCC)
+## 3. Using Connected Cache
:::image type="content" source="images/do-setup-connected-cache.png" alt-text="Screenshot of Delivery Optimization options when using Connected Cache." lightbox="images/do-setup-connected-cache.png":::
diff --git a/windows/deployment/do/delivery-optimization-troubleshoot.md b/windows/deployment/do/delivery-optimization-troubleshoot.md
index 5ade7e311f..972b148de4 100644
--- a/windows/deployment/do/delivery-optimization-troubleshoot.md
+++ b/windows/deployment/do/delivery-optimization-troubleshoot.md
@@ -29,7 +29,7 @@ This article discusses how to troubleshoot Delivery Optimization.
- -HealthCheck: Provides an overall check of the device setup to ensure Delivery Optimization communication is possible on the device.
- -P2P: Provides output specific to P2P settings, efficiency, and errors.
-- -MCC: Provides output specific to MCC settings and verifies the client can access the cache server.
+- -MCC: Provides output specific to Microsoft Connected Cache settings and verifies the client can access the cache server.
## Common problems and solutions
diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
index 8b132e7d76..4bf73fa9c9 100644
--- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
+++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
@@ -25,4 +25,4 @@ This file contains the images that are included in this GitHub repository that a
:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully.":::
-:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state.":::
\ No newline at end of file
+:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the Microsoft Connected Cache container in a failure state.":::
\ No newline at end of file
diff --git a/windows/deployment/do/images/mcc_ent_publicpreview.png b/windows/deployment/do/images/mcc_ent_publicpreview.png
new file mode 100644
index 0000000000..6f6f292d58
Binary files /dev/null and b/windows/deployment/do/images/mcc_ent_publicpreview.png differ
diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md
index 5e0061e00b..0be764aea7 100644
--- a/windows/deployment/do/includes/get-azure-subscription.md
+++ b/windows/deployment/do/includes/get-azure-subscription.md
@@ -14,6 +14,6 @@ ms.localizationpriority: medium
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input.
1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left.
-1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service.
+1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service.
1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name.
1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value.
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index d2e3a5c60a..dc1e99b304 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -15,7 +15,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 12/22/2023 #Required; mm/dd/yyyy format.
+ ms.date: 10/30/2024 #Required; mm/dd/yyyy format.
ms.localizationpriority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -32,7 +32,7 @@ landingContent:
url: waas-delivery-optimization.md
- text: What's new in Delivery Optimization
url: whats-new-do.md
- - text: Microsoft Connected Cache (MCC) overview
+ - text: Microsoft Connected Cache overview
url: waas-microsoft-connected-cache.md
@@ -63,25 +63,25 @@ landingContent:
url: /mem/intune/configuration/delivery-optimization-windows
# Card
- - title: Microsoft Connected Cache (MCC) for Enterprise and Education
+ - title: Microsoft Connected Cache for Enterprise and Education
linkLists:
- linkListType: deploy
links:
- - text: MCC for Enterprise and Education (early preview)
- url: waas-microsoft-connected-cache.md
- - text: Sign up
- url: https://aka.ms/MSConnectedCacheSignup
+ - text: Connected Cache for Enterprise and Education overview
+ url: mcc-ent-edu-overview.md
+ - text: Connected Cache for Enterprise and Education requirements
+ url: mcc-ent-prerequisites.md
+ - text: Create the Microsoft Connected Cache Azure resource and cache nodes
+ url: mcc-ent-create-resource-and-cache.md
# Card
- - title: Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs)
+ - title: Microsoft Connected Cache for Internet Service Providers (ISPs)
linkLists:
- linkListType: deploy
links:
- - text: MCC for ISPs (public preview)
+ - text: Connected Cache for ISPs (public preview)
url: mcc-isp-signup.md
- - text: Sign up
- url: https://aka.ms/MCCForISPSurvey
- - text: MCC for ISPs (early preview)
+ - text: Connected Cache for ISPs (early preview)
url: mcc-isp.md
diff --git a/windows/deployment/do/mcc-ent-create-resource-and-cache.md b/windows/deployment/do/mcc-ent-create-resource-and-cache.md
new file mode 100644
index 0000000000..9340c11d38
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-create-resource-and-cache.md
@@ -0,0 +1,349 @@
+---
+title: Create and configure Microsoft Connected Cache nodes
+description: Details on how to create and configure Microsoft Connected Cache for Enterprise and Education cache nodes.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+manager: naengler
+ms.author: nidos
+author: doshnid
+appliesto:
+- ✅ Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise
+ms.date: 10/30/2024
+---
+
+# Create Microsoft Connected Cache Azure resource and cache nodes
+
+This article outlines how to create and configure your Microsoft Connected Cache for Enterprise and Education cache nodes. The creation and configuration of your cache node takes place in Azure. The deployment of your cache node requires downloading and running an OS-specific provisioning package on your host machine.
+
+## Prerequisites
+
+1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a free-of-charge service hosted in Azure. You'll need a pay-as-you-go Azure subscription in order to onboard to our service. To create a subscription, go to [pay-as-you-go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
+2. **Hardware to host Connected Cache**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
+
+For more information on sizing and OS requirements, see [the prerequisites for using Connected Cache](mcc-ent-prerequisites.md).
+
+
+## Create Connected Cache Azure resource
+
+# [Azure portal](#tab/portal)
+
+1. In the [Azure portal](https://portal.azure.com), select **Create a Resource** and search for `Microsoft Connected Cache for Enterprise and Education`.
+
+
+1. Select the Microsoft Connected Cache for Enterprise resource. When prompted, choose the subscription, resource group, and location for the resource. Then enter a name for the resource, then select Review + Create.
+
+1. After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select Create.
+
+1. The creation of the resource might take a few minutes. After a successful creation, you'll see a page stating the deployment is complete. Select **Go to resource** to create cache nodes.
+
+
+# [Azure CLI](#tab/cli)
+
+### Prerequisites
+
+* An Azure CLI environment:
+
+ * Use the Bash environment in [Azure Cloud Shell](/azure/cloud-shell/get-started/classic).
+
+ * Or, if you prefer to run CLI reference commands locally, [install the Azure CLI](/cli/azure/install-azure-cli)
+
+ * Sign in to the Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.
+
+ * Run [az version](/cli/azure/reference-index#az-version) to find the version and dependent libraries that are installed. To upgrade to the latest version, run [az upgrade](/cli/azure/reference-index#az-upgrade).
+
+ * Install Azure CLI extension **mcc** by following the instructions [here](/cli/azure/azure-cli-extensions-overview#how-to-install-extensions).
+
+ * Resource group under which a Connected Cache resource can be created. Use the [az group create](/cli/azure/group#az-group-create) command to create a new Resource group if you don't already have one.
+
+#### Create Connected Cache Azure resource
+
+Replace the following placeholders with your own information:
+* *\*: Name of an existing resource group in your subscription.
+* *\*: A name for your Microsoft Connected Cache for Enterprise resource.
+* *\*: The Azure region where your Microsoft Connected Cache will be located.
+
+```azurecli-interactive
+az mcc ent resource create --mcc-resource-name --resource-group --location
+```
+
+---
+
+## Create Connected Cache cache node
+
+# [Azure portal](#tab/portal)
+
+ 1. Open Azure portal and navigate to the Microsoft Connected Cache for Enterprise resource that you created.*: Name of existing resource group in your subscription.
+* *\*: Name of the Microsoft Connected Cache for Enterprise resource.
+* *\*: A name for your Microsoft Connected Cache node.
+* *\*: The OS on which cache node will be provisioned.
+ Accepted values: `windows`, `linux`
+
+```azurecli-interactive
+az mcc ent node create --cache-node-name --mcc-resource-name --resource-group --host-os
+```
+
+ --mcc-resource-name --resource-group
+>```
+>In the output look for **cacheNodeState**. If ***cacheNodeState = Not Configured***, you can continue with cache node configuration.
+>If ***cacheNodeState = Registration in Progress***, then the cache node is still in process of being created. Wait a couple of minutes and run the command again.
+>To know more about different cache node state, see [Cache node states](#cache-node-states).
+
+---
+
+## Configure Connected Cache node
+
+# [Azure portal](#tab/portal)
+Enter required values to configure your cache node. For more information about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article.
+Don't forget to select save after adding configuration information.
+
+
+# [Azure CLI](#tab/cli)
+
+### Configure Linux-hosted Connected Cache node
+Use the following command to configure cache node for deployment to a **Linux** host machine.
+
+Replace the following placeholders with your own information:
+
+* *\*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+* *\*: Name for your Microsoft Connected Cache node.
+* *\*: The cache drive path. You can add up to nine cache drives.
+* *\*: The size of cache drive. Must be at least 50 Gb.
+* *\*: If proxy needs to be enabled or not.*: The proxy host name or ip address. Required if proxy is set to enabled.
+* *\*: Proxy port number. Required if proxy is set to enabled.
+* *\*: Update ring the cache node should have.*: The day of the week cache node should be updated. Week starts from Monday.*: The time of day cache node should be updated in 24 hour format (hh:mm)
+* *\*: The week of month cache node should be updated. --mcc-resource-name --resource-group
+--cache-drive "[{physical-path:,size-in-gb:},{,size-in-gb:}...]"> --proxy --proxy-host <"proxy host name"> --proxy-port --auto-update-day --auto-update-time --auto-update-week --auto-update-ring
+```
+
+*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+* *\*: Name for your Microsoft Connected Cache node.
+* *\*: The cache drive path.*: The size of cache drive. Must be at least 50 Gb.
+* *\*: If proxy needs to be enabled or not.*: The proxy host name or ip address. Required if proxy is set to enabled.
+* *\*: Proxy port number. Required if proxy is set to enabled.
+* *\*: Update ring the cache node should have.*: The day of the week cache node should be updated. Week starts from Monday.*: The time of day cache node should be updated in 24 hour format (hh:mm)
+* *\*: The week of month cache node should be updated. --mcc-resource-name --resource-group
+--cache-drive "[{physical-path:/var/mcc,size-in-gb:}]" --proxy --proxy-host <"proxy host name"> --proxy-port --auto-update-day --auto-update-time --auto-update-week --auto-update-ring
+```
+
+---
+
+## Next step
+
+### [Azure portal](#tab/portal)
+To deploy the cache node to a **Windows** host machine, see
+>[!div class="nextstepaction"]
+>[Deploy cache node to Windows](mcc-ent-deploy-to-windows.md)
+
+To deploy the cache node to a **Linux** host machine, see
+>[!div class="nextstepaction"]
+>[Deploy cache node to Linux](mcc-ent-deploy-to-linux.md)
+
+### [Azure CLI](#tab/cli)
+To deploy cache nodes using Azure CLI, see
+>[!div class="nextstepaction"]
+>[Manage cache nodes using CLI](mcc-ent-manage-using-CLI.md)
+
+---
+*: An existing resource group in your subscription.
+
+
+```azurecli-interactive
+az mcc ent resource list --resource-group
+```
+---
+
+### List all cache nodes
+
+# [Azure portal](#tab/portal)
+On the left pane, select **Cache Nodes** under **Cache Node Management** to see all the cache nodes under the Connected Cache resource.
+
+
+# [Azure CLI](#tab/cli)
+Use the following command to list all the cache nodes under the resource.
+
+Replace the following placeholders with your own information:
+* *\*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+
+```azurecli-interactive
+az mcc ent node list --mcc-resource-name --resource-group
+```
+
+---
+*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+
+```azurecli-interactive
+az mcc ent resource delete --mcc-resource-name --resource-group
+```
+---
+
+### Delete cache node
+
+# [Azure portal](#tab/portal)
+On the left pane, select **Cache Nodes** under **Cache Node Management** to see all the cache nodes under the Connected Cache resource. Select the cache node you wish to delete and select the **Delete** option on top of the page.
+
+
+# [Azure CLI](#tab/cli)
+Use the following command to delete the Connected Cache node.
+
+Replace the following placeholders with your own information:
+* *\*: Name of the resource group in your subscription.
+* *\*: Name of your Microsoft Connected Cache for Enterprise resource.
+* *\*: The name for your Microsoft Connected Cache node.
+
+
+```azurecli-interactive
+az mcc ent node delete --cache-node-name --mcc-resource-name --resource-group
+```
+
+
+---
+Microsoft Connected Cache for Enterprise and Education
+---
+
+# Deploy Microsoft Connected Cache caching software to a Linux host machine
+
+This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Linux host machine.
+
+Before deploying Connected Cache to a Linux host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource and cache node](mcc-ent-create-resource-and-cache.md).
+
+## Steps to deploy Connected Cache cache node to Linux
+
+# [Azure portal](#tab/portal)
+
+1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
+1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine.
+1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
+1. Run the provisioning command on the host machine.
+
+# [Azure CLI](#tab/cli)
+
+To deploy a cache node programmatically, you'll need to use Azure CLI to get the cache node's provisioning details and then run the provisioning command on the host machine.
+
+1. To get the cache node's provisioning details, use `az mcc ent node get-provisioning-details`
+
+ ```azurecli-interactive
+ az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
+ ```
+
+1. Save the resulting output. These values will be passed as parameters within the provisioning command.
+1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
+1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
+1. Replace the values in the following provisioning command before running it on the host machine.
+
+ ```azurepowershell-interactive
+ sudo ./provisionmcc.sh customerid="enter mccResourceId here" cachenodeid="enter cacheNodeId here" customerkey=" enter customerKey here " registrationkey="enter registrationKey here" drivepathandsizeingb="enter physicalPath value,enter sizeInGb value here" shoulduseproxy="enter true if present, enter false if not" proxyurl=http://enter proxy hostname:enter port
+ ```
+
+---
+
+## Steps to point Windows client devices at Connected Cache node
+
+Once you have successfully deployed Connected Cache to your Linux host machine, you'll need to configure your Windows client devices to request Microsoft content from the Connected Cache node.
+
+You can do this by setting the [DOCacheHost or DOCacheHostSource policies via Intune](./waas-delivery-optimization-reference.md#cache-server-hostname).
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Verify cache node functionality](mcc-ent-verify-cache-node.md)
+
+## Related content
+
+- [Deploy to a Windows host machine](mcc-ent-deploy-to-windows.md)
+- [Uninstall Connected Cache node](mcc-ent-uninstall-cache-node.md)
\ No newline at end of file
diff --git a/windows/deployment/do/mcc-ent-deploy-to-windows.md b/windows/deployment/do/mcc-ent-deploy-to-windows.md
new file mode 100644
index 0000000000..ba27a5f82f
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-deploy-to-windows.md
@@ -0,0 +1,82 @@
+---
+title: Deploy Microsoft Connected Cache software to a Windows host machine
+description: Details on how to deploy Microsoft Connected Cache for Enterprise and Education cache software to a Windows host machine.
+author: chrisjlin
+ms.author: lichris
+manager: naengler
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+ms.date: 10/30/2024
+appliesto:
+- ✅ Windows 11
+- ✅ Microsoft Connected Cache for Enterprise and Education
+---
+
+# Deploy Microsoft Connected Cache caching software to a Windows host machine
+
+This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Windows host machine.
+
+Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
+
+Before deploying Connected Cache to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource](mcc-ent-create-resource-and-cache.md).
+
+## Steps to deploy Connected Cache node to Windows
+
+# [Azure portal](#tab/portal)
+
+1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
+1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
+1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
+
+ For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+
+ If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+
+1. Run the provisioning command on the host machine.
+
+# [Azure CLI](#tab/cli)
+
+To deploy a cache node programmatically, you'll need to use Azure CLI to get the cache node's provisioning details and then run the provisioning command on the host machine.
+
+1. To get the cache node's provisioning details, use `az mcc ent node get-provisioning-details`.
+
+ ```azurecli-interactive
+ az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
+ ```
+
+1. Save the resulting output. These values will be passed as parameters within the provisioning command.
+1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
+1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
+
+ For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+
+ If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+
+1. Replace the values in the following provisioning command before running it on the host machine. **Note**: `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you're using a Local User account as the Connected Cache runtime account.
+
+ ```powershell-interactive
+ ./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size" -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]" -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential
+ ```
+
+---
+
+## Steps to point Windows client devices at Connected Cache node
+
+Once you have successfully deployed Connected Cache to your Windows host machine, you'll need to configure your Windows client devices to request Microsoft content from the Connected Cache node.
+
+You can do this by setting the [DOCacheHost or DOCacheHostSource policies via Intune](./waas-delivery-optimization-reference.md#cache-server-hostname).
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Verify cache node functionality](mcc-ent-verify-cache-node.md)
+
+## Related content
+
+- [Deploy to a Linux host machine](mcc-ent-deploy-to-linux.md)
+- [Uninstall Connected Cache node](mcc-ent-uninstall-cache-node.md)
diff --git a/windows/deployment/do/mcc-ent-early-preview.md b/windows/deployment/do/mcc-ent-early-preview.md
new file mode 100644
index 0000000000..1e1922f15a
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-early-preview.md
@@ -0,0 +1,28 @@
+---
+title: Microsoft Connected Cache for Enterprise and Education early preview
+description: Details on Microsoft Connected Cache for Enterprise early preview
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+manager: naengler
+ms.author: lichris
+author: chrisjlin
+appliesto:
+- ✅ Microsoft Connected Cache for Enterprise
+ms.date: 10/30/2024
+---
+
+
+# Microsoft Connected Cache for Enterprise and Education (early preview)
+
+If you participated in the early preview program, thank you for your collaboration and feedback.
+
+To continue using supported version of Microsoft Connected Cache, we strongly recommend that you upgrade your existing cache nodes to the new release. Cache nodes created and deployed during early preview should still function but can no longer be managed or monitored remotely via the Microsoft Connected Cache Azure service.
+
+We strongly recommend you [recreate your existing cache nodes in Azure](mcc-ent-create-resource-and-cache.md) and then [redeploy the caching software to your host machines](mcc-ent-deploy-to-windows.md) using the latest OS-specific installer.
+
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [View documentation for Connected Cache public preview](mcc-ent-edu-overview.md)
diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md
index b17beaa30a..125aed12f4 100644
--- a/windows/deployment/do/mcc-ent-edu-overview.md
+++ b/windows/deployment/do/mcc-ent-edu-overview.md
@@ -1,38 +1,71 @@
---
-title: MCC for Enterprise and Education Overview
-description: Overview, supported scenarios, and content types for Microsoft Connected Cache (MCC) for Enterprise and Education.
+title: Microsoft Connected Cache for Enterprise and Education Overview
+description: Overview, supported scenarios, and content types for Microsoft Connected Cache for Enterprise and Education.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
-ms.author: carmenf
-author: cmknox
-manager: aaroncz
+ms.author: andyriv
+author: chrisjlin
+manager: naengler
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/23/2024
+ms.date: 10/30/2024
---
# Microsoft Connected Cache for Enterprise and Education Overview
> [!IMPORTANT]
->
-> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-> - As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
+> Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
+Microsoft Connected Cache for Enterprise and Education (preview) is a software-only caching solution that delivers Microsoft content within enterprise and education networks. Connected Cache can be managed from the Azure portal or through Azure CLI. It can be deployed to as many Windows devices, Linux devices, or VMs as needed. Managed Windows devices can be configured to download cloud content from a Connected Cache server by applying the client policy using management tools such as Microsoft Intune.
-Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
+For information about Microsoft Connected Cache in Configuration Manager, see [Microsoft Connected Cache in Configuration Manager](/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
-## Supported scenarios
+Microsoft Connected Cache deployed directly to Windows relies on [Windows Subsystem for Linux (WSL](/windows/wsl/about) and either a [Group Managed Service Account](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts), local user account, or domain user account are required to run WSL. WSL needs to run in a user context and any user, even if the currently logged-in user, could be used to run WSL and Microsoft Connected Cache.
-Connected Cache (early preview) supports the following scenarios:
+## Supported scenarios and configurations
+
+Microsoft Connected Cache for Enterprise and Education (preview) is intended to support the following content delivery scenarios:
- Pre-provisioning of devices using Windows Autopilot
-- Cloud-only devices, such as Intune-enrolled devices
+- Co-managed clients that get monthly updates and Win32 apps from Microsoft Intune
+- Cloud-only managed devices, such as Intune-enrolled devices without the Configuration Manager client, that get monthly updates and Win32 apps from Microsoft Intune
+
+Microsoft Connected Cache is built for flexible deployments to support several different enterprise configurations:
+
+### Branch office
+
+Customers may have globally dispersed offices that meet some or all of the following parameters:
+
+- Have 10 to 50 Windows devices on-site
+- Don't have dedicated server hardware
+- Have internet bandwidth that is limited (satellite internet)
+- Have intermittent internet connectivity
+
+To support the branch office scenario, customers can deploy a Connected Cache node to a Windows 11 client device.
+
+### Large Enterprise
+
+Customers may have office spaces, data centers, or Azure deployments that meet some or all of the following parameters:
+
+- Have 100s or 1,000s of Windows devices (desktop or server)
+- Have some existing server hardware (Decommissioned Distribution Point, file server, cloud print server)
+- Have Azure VMs and/or Azure Virtual Desktop deployed
+- Have limited internet bandwidth (T1 or T3 lines)
+
+To support the large enterprise scenario, customers can deploy a Connected Cache node to a server running Windows Server 2022 or Ubuntu 22.04.
+
+See [Connected Cache node host machine requirements](mcc-ent-prerequisites.md) for recommended host machine specifications in each configuration.
+
+| Enterprise configuration | Download speed range | Download speeds and approximate content volume delivered in 8 Hours |
+|---|---|---|
+|Branch office|< 1 Gbps Peak| 500 Mbps => 1,800 GB 250 Mbps => 900 GB 100 Mbps => 360 GB 50 Mbps => 180 GB|
+|Small to medium enterprises/Autopilot provisioning center (50 - 500 devices in a single location) |1 - 5 Gbps| 5 Gbps => 18,000 GB 3 Gbps => 10,800 GB 1 Gbps => 3,600 GB|
+|Medium to large enterprises/Autopilot provisioning center (500 - 5,000 devices in a single location) |5 - 10 Gbps Peak| 9 Gbps => 32,400 GB 5 Gbps => 18,000 GB 3 Gbps => 10,800 GB|
## Supported content types
@@ -47,27 +80,21 @@ For the full list of content endpoints that Microsoft Connected Cache for Enterp
## How it works
-MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It's built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC is a Linux IoT Edge module running on the Windows Host OS.
+The following diagram displays an overview of how Connected Cache functions:
-1. The Azure Management Portal is used to create MCC nodes.
-1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
-1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
-1. Microsoft end-user devices make range requests for content from the MCC node.
-1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
-1. Subsequent requests from end-user devices for content will now come from cache.
-1. If the MCC node is unavailable, the client pulls content from CDN to ensure uninterrupted service for your subscribers.
+:::image type="content" source="./images/mcc_ent_publicpreview.png" alt-text="Diagram displaying the components of Connected Cache." lightbox="./images/mcc_ent_publicpreview.png":::
-The following diagram displays an overview of how MCC functions:
+1. The Azure management portal for Microsoft Connected Cache or CLI are used to create cache nodes, configure deployments, including unauthenticated proxy settings.
+1. Prepare Windows or Linux devices. If deploying to Windows devices, prepare accounts - gMSA, local user account, domain account. Deploy to Windows or Linux devices using scripts.
+1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services.
+1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key.
+1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content.
+1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server.
+You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports.
-:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
+## Next steps
-## IoT Edge
+>[!div class="nextstepaction"]
-Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
-
-1. Installs and updates MCC on your edge device.
-1. Maintains Azure IoT Edge security standards on your edge device.
-1. Ensures that MCC is always running.
-1. Reports MCC health and usage to the cloud for remote monitoring.
-
-For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
+>[Create Connected Cache Azure resources](mcc-ent-create-resource-and-cache.md)
+>
diff --git a/windows/deployment/do/mcc-ent-faq.yml b/windows/deployment/do/mcc-ent-faq.yml
new file mode 100644
index 0000000000..089613eb36
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-faq.yml
@@ -0,0 +1,78 @@
+### YamlMime:FAQ
+metadata:
+ title: Microsoft Connected Cache for Enterprise and Education Frequently Asked Questions
+ description: The following article is a list of frequently asked questions for Microsoft Connected Cache for Enterprise.
+ ms.service: windows-client
+ ms.subservice: itpro-updates
+ ms.topic: faq
+ ms.author: nidos
+ author: doshnid
+ ms.reviewer: mstewart
+ manager: aaroncz
+ ms.collection:
+ - highpri
+ - tier3
+ appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
+ ms.date: 10/30/2024
+title: Microsoft Connected Cache for Enterprise Frequently Asked Questions
+summary: |
+ Frequently asked questions about Microsoft Connected Cache for Enterprise
+
+sections:
+ - name: Ignored
+ questions:
+ - question: What are the licesning requirement?
+ answer: Microsoft Connected Cache for Enterprise and Education is available to all Windows E3, E5 and F3 and Education A3 and A5 customers.
+ - question: Is there a charge to create Connected Cache resources and cache node on Azure?
+ answer: No. You won't be charged to create Connected Cache resource and cache nodes on Azure. However, you need an Azure pay-as-you-go subscription to create the resources but there is no charge for the resource itself.
+ - question: Is there a nondisclosure agreement to sign?
+ answer: No, a nondisclosure agreement isn't required.
+ - question: What will Microsoft Connected Cache for Enterprise and Education do for me?
+ answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsoft’s comprehensive solutions for minimizing enterprises’ internet bandwidth consumption, with Delivery Optimization acting as the distributed content source and Connected Cache as a dedicated content source. Microsoft customers have benefited from these solutions, seeing savings of more than 90% of bandwidth when managing Windows 11 upgrades, Autopilot device provisioning, Intune application installations, and monthly update deployments."
+ - question: Can I deploy Connected Cache to a production environment?
+ answer: The core caching engine of Microsoft Connected Cache is deployed to hundreds of ISPs globally and has been reliably delivering Microsoft content to customers. Connected Cache relies on production Azure services for the deployment and management of Connected Cache nodes and for Windows installations Windows Subsystem for Linux. Microsoft support is fully onboarded to support your organization whether you deploy Connected Cache in a lab for testing or in production.
+ - question: When will Microsoft Connected Cache for Enterprise and Education be made generally available (GA)?
+ answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsoft’s comprehensive solutions for minimizing enterprises’ internet bandwidth consumption. Microsoft is committed to making Connected Cache generally available soon. Additionally, Microsoft support is fully onboarded to support your organization in whatever capacity you deploy Connected Cache."
+ - question: What are the prerequisites and hardware requirements?
+ answer: |
+ - [Azure pay-as-you-go subscription](https://azure.microsoft.com/offers/ms-azr-0003p/).
+ - [Hardware to host Microsoft Connected Cache](mcc-ent-edu-overview.md)
+ - [Host machine requirements](mcc-ent-prerequisites.md)
+ - question: What host OS do I need to deploy Connected Cache?
+ answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different.
+ - question: What content is cached by Microsoft Connected Cache?
+ answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints](delivery-optimization-endpoints.md).
+ - question: Do I need to provide hardware BareMetal server or a virtual machine (VM)?
+ answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
+ - question: Can we use hard drives instead of SSDs?
+ answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
+ - question: Where should we install Microsoft Connected Cache?
+ answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
+ - question: How can I set up a gMSA account?
+ answer: For more information about gMSA accounts, see [Learn how to provision a Group Managed Service Account on a Domain Controller](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#create-group-managed-service-accounts). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
+ - question: How can I set up a local account?
+ answer: For more information, see [Learn how to provision a Local User Account](https://support.microsoft.com/topic/104dc19f-6430-4b49-6a2b-e4dbd1dcdf32). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
+ - question: Where can I monitor cache node usage?
+ answer: You can monitor your cache node usage on Azure portal. For more information, see [Monitor cache node usage Info on Reporting Capabilities](mcc-ent-monitoring.md).
+ - question: How does Microsoft Connected Cache populate its content? Can I precache content?
+ answer: Microsoft Connected Cache is a cold cache warmed by client requests at the byte range level so your clients only request the content they need. The client requests content and that is what fills the cache which means there's no cache fill necessary. "Preseeding" can be achieved by use of update rings. A test ring or early adopter ring can be used to fill the cache and all subsequent requests by other clients will come from cache.
+ - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
+ answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content is in the hot cache path (open handles and such) for 24 hrs, but resides on disk for 30 days. The drive fills up and nginx starts to delete content based on its own algorithm, probably some combination of least recently used.
+ - question: Is it possible to not update the Microsoft Connected Cache software or delay update longer than the timeline provided in the updates configuration?
+ answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and only releases updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers.
+ - question: How do I set up CLI?
+ answer: For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
+ - question: How do I install the Microsoft Connected Cache Azure CLI extension?
+ answer: For more information, see [Install the Microsoft Connected Cache extension](mcc-ent-manage-using-cli.md#prerequisites).
+ - question: What do I do if I have to set up or change existing proxy?
+ answer: You can enable proxy and provide proxy information on Azure portal or use the CLI. Don't forget to rerun the provisioning script after making any proxy changes. For more information, see [Set up or change existing proxy](mcc-ent-create-resource-and-cache.md#proxy-settings).
+ - question: How do we set up Microsoft Connected Cache if we support multiple countries or regions?
+ answer: Microsoft Connected Cache isn't a service that has dependency on a specific Azure region, and there isn't personal or organizational identifiable information stored in the resource that necessitates data residency. The three regions that the Connected Cache resource can be deployed to are (Europe) North Europe, (Asia Pacific) Korea Central, and (US) West US.
+ - question: Should I use a gMSA, local user, or domain account to deploy Microsoft Connected Cache to Windows?
+ answer: There are pros and cons to the account options available to customers. We anticipate that security and manageability are top priories for customers. Microsoft provides guidance on both Active Directory and Microsoft Entra-based service accounts ([Introduction to Active Directory service accounts - Choose the right type of service account](/entra/architecture/service-accounts-on-premises#types-of-on-premises-service-accounts)) and user-based service accounts ([Secure user-based service accounts in Active Directory)](/entra/architecture/service-accounts-user-on-premises#assess-on-premises-user-account-security)).
+ - question: Does the user have to be logged using the account that installed Microsoft Connected Cache on Windows or Linux?
+ answer: No. As part of the installation on Windows a scheduled task is created using the account used to install Connected Cache. Regardless of which user is logged in or not logged in, the scheduled task remains running. On Linux, Connected Cache is installed by the user and remains running regardless of which user is logged in to the OS.
+ - question: What do I do if I need more support and have more questions even after reading this FAQ page?
+ answer: For further support for Microsoft Connected Cache, see [Troubleshooting issues for Microsoft Connected Cache for Enterprise and Education](mcc-ent-troubleshooting.md). If you still need more support, you can contact customer support.
diff --git a/windows/deployment/do/mcc-ent-manage-using-cli.md b/windows/deployment/do/mcc-ent-manage-using-cli.md
new file mode 100644
index 0000000000..3b3ca2357d
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-manage-using-cli.md
@@ -0,0 +1,215 @@
+---
+title: Manage Microsoft Connected Cache nodes using CLI
+description: Details on how to manage Microsoft Connected Cache for Enterprise cache nodes via Azure CLI commands.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+manager: aaroncz
+ms.author: nidos
+author: doshnid
+ms.reviewer: mstewart
+ms.collection: tier3
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Connected Cache for Enterprise
+ms.date: 10/30/2024
+---
+
+# Manage cache nodes using CLI
+
+
+```
+
+ --mcc-resource-name --resource-group
+--cache-drive "[{physical-path:,size-in-gb:},{,size-in-gb:}...]"> --proxy --proxy-host <"proxy host name"> --proxy-port --auto-update-day --auto-update-time --auto-update-week --auto-update-ring
+```
+
+>[!Note]
+>* For a cache node that is to be deployed on Windows host OS, the physical path of the cache drive must be **/var/mcc**.physicalPath, sizeInGb, proxyPort, proxyHostName as these values will be needed to construct the provisioning script.
+
+
+Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise
+ms.date: 10/30/2024
+---
+
+# Monitor cache node usage
+
+Tracking the status and performance of your Connected Cache node is essential to making sure you're getting the most out of the service.
+
+For basic monitoring, navigate to the **Overview** tab. Here you'll be able to view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed.
+
+For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you'll be able to access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
+
+Between the two monitoring sections, you'll be able to gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
+
+## Basic Monitoring
+
+### Cache node summary
+
+Below are the metrics you'll find in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
+
+
+
+| Metric | Description |
+| --- | --- |
+| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as healthy. |
+| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as unhealthy. |
+| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from CDN endpoints in the last 24 hours. |
+| Max out | The minimum egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
+| Average in | The average ingress in Mbps that your node has pulled from CDN endpoints in the last 24 hours. |
+| Average out | The average egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
+| Cache efficiency | The percentage of all content requests your Connected Cache node receives that can be fulfilled using your node's cached content. A well-performing node should have an efficiency > 90%. |
+
+### Key metric charts
+
+The two predefined charts on the Overview page visually represent the egress and types of content served by your Connected Cache node. The filters that are displayed below the cache node summary dashboard only affect the data shown in the key metric charts.
+
+
+
+#### Filters
+
+There are two filter controls that can be used to configure the key metric charts.
+
+- Timespan: Select how far back the chart should display
+- Cache nodes: Select which Connected Cache nodes the chart should display data for
+
+#### Outbound Traffic Chart
+
+This chart displays the average egress in bits per second (b/s) that your selected Connected Cache nodes delivered over the specified timespan.
+
+#### Volume by Content Type
+
+This chart displays the volume of each supported content type in bytes (B) that your selected Connected Cache nodes delivered over the specified timespan. See [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md) for a complete list of supported content types.
+
+The content types displayed in the chart each have a distinct color and are sorted in descending order of volume. The bar chart is stacked such that you can visually compare total volume being delivered at different points in time.
+
+## Advanced Monitoring
+
+To expand upon the metrics shown in the Overview tab, navigate to the **Metrics** tab in the left side toolbar of Azure portal.
+
+Listed below are the metrics you can access in this section:
+
+| Metric | Description |
+| --- | --- |
+| Inbound | The number of content requests your Connected Cache node receives over a specified period of time. |
+| Hits | The number of times your Connected Cache node fulfills a content request by pulling from its cache. |
+| Misses | The number of times your Connected Cache node isn't able to fulfill a content request by pulling from its cache |
+
+### Customizable Dashboards
+
+Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that will notify you if your Connected Cache node dips in performance.
+
+Some example scenarios where you would want to set up a custom alert:
+
+- My Connected Cache node is being shown as unhealthy and I want to know exactly when it stopped egressing last
+- A new Microsoft Word update was released last night and I want to know if my Connected Cache node is helping deliver this content to my Windows devices
+
+## Additional Metrics
+
+Your Connected Cache node can keep track of how much content has been sent to requesting Windows devices, but the node can't track whether the content was successfully received by the device. For more information on accessing client-side data from your Windows devices, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).
diff --git a/windows/deployment/do/mcc-ent-prerequisites.md b/windows/deployment/do/mcc-ent-prerequisites.md
new file mode 100644
index 0000000000..f30f503e31
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-prerequisites.md
@@ -0,0 +1,72 @@
+---
+title: Microsoft Connected Cache for Enterprise and Education prerequisites
+description: Details of prerequisites and recommendations for using Microsoft Connected Cache for Enterprise and Education.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: lichris
+author: chrisjlin
+manager: naengler
+appliesto:
+- ✅ Windows 11
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 10/30/2024
+---
+
+# Microsoft Connected Cache for Enterprise and Education Requirements
+
+This article details the requirements and recommended specifications for using Microsoft Connected Cache for Enterprise and Education.
+
+## Licensing requirements
+
+- **Valid Azure subscription**: To use the Microsoft Connected Cache for Enterprise and Education service, you'll need a valid Azure subscription that can be used to provision the necessary [Azure resources](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management).
+
+ If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
+
+ The Azure resources used for Connected Cache will be free to you during this public preview.
+
+- **E3/E5 or A3/A5 license**: Your organization must have one of the following license subscriptions for each device that downloads content from a Connected Cache node:
+
+ - [Windows Enterprise E3 or E5](/windows/whats-new/windows-licensing#windows-11-enterprise), included in [Microsoft 365 F3, E3, or E5](https://www.microsoft.com/microsoft-365/enterprise/microsoft365-plans-and-pricing?msockid=32c407b43d5968050f2b13443c746916)
+ - Windows Education A3 or A5, included in [Microsoft 365 A3 or A5](https://www.microsoft.com/education/products/microsoft-365?msockid=32c407b43d5968050f2b13443c746916#Education-plans)
+
+## Cache node host machine requirements
+
+### General requirements
+
+- Any previous installations of Connected Cache must be [uninstalled](mcc-ent-uninstall-cache-node.md) from the host machine before installing the latest version of Connected Cache.
+- [These listed endpoints](delivery-optimization-endpoints.md) must be reachable by the host machine.
+- The host machine must have no other services / applications utilizing port 80 (for example, Configuration Manager or a distribution point).
+- The host machine must have at least 4 GB of free memory.
+
+### Additional requirements for Windows host machines
+
+- The Windows host machine must be using Windows 11 or Windows Server 2022 with the latest cumulative update applied.
+ - Windows 11 must have [OS Build 22631.3296](https://support.microsoft.com/topic/march-12-2024-kb5035853-os-builds-22621-3296-and-22631-3296-a69ac07f-e893-4d16-bbe1-554b7d9dd39b) or later
+ - Windows Server 2022 must have [OS Build 20348.2227](https://support.microsoft.com/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a) or later
+- The Windows host machine must support nested virtualization. Ensure that any security settings that may restrict nested virtualization are not enabled, such as ["Trusted launch" in Azure VMs](/azure/virtual-machines/trusted-launch-portal).
+- The Windows host machine must have [WSL 2 installed](/windows/wsl/install#install-wsl-command). You can install this on Windows 11 and Windows Server 2022 by logging on as a local administrator and running the PowerShell command `wsl.exe --install --no-distribution` in an elevated PowerShell window.
+
+### Additional requirements for Linux host machines
+
+- The Linux host machine must be using one of the following operating systems:
+ - Ubuntu 22.04
+ - Red Hat Enterprise Linux (RHEL) 8.* or 9.*
+ - If using RHEL, the default container engine (Podman) must be replaced with [Moby](https://github.com/moby/moby#readme)
+
+### Recommended host machine networking specifications
+
+- Multiple network interface cards (NICs) on a single Connected Cache host machine isn't supported.
+- 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
+- The NIC and BIOS should support SR-IOV for best performance.
+
+### Recommended host machine hardware specifications
+
+Based on your [enterprise configuration](mcc-ent-edu-overview.md), it's recommended to deploy your Connected Cache nodes to host machines that meet the following recommended hardware specifications:
+
+| Component | Branch office | Small / medium enterprise | Large enterprise |
+| --- | --- | --- | --- |
+| CPU cores | 4 | 8 | 16 |
+| Memory | 8 GB, 4 GB free | 16 GB, 4 GB free | 32 GB, 4 GB free |
+| Disk storage | 100 GB free | 500 GB free | 2x 200-500 GB free |
+| NIC | 1 Gbps | 5 Gbps | 10 Gbps |
diff --git a/windows/deployment/do/mcc-ent-release-notes.md b/windows/deployment/do/mcc-ent-release-notes.md
new file mode 100644
index 0000000000..28471a7fb7
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-release-notes.md
@@ -0,0 +1,41 @@
+---
+title: Microsoft Connected Cache Release Notes
+description: Release Notes for Microsoft Connected Cache for Enterprise and Education.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: lichris
+author: chrisjlin
+manager: naengler
+appliesto:
+- ✅ Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 10/30/2024
+---
+
+# Release Notes for Microsoft Connected Cache for Enterprise and Education
+
+This article contains details about the latest releases of Connected Cache. Since Connected Cache is a preview service, some releases may contain breaking changes.
+
+## Release v1.2.1.2076_E (public preview launch)
+
+The public preview released on **10/30/2024**
+
+For customers that installed earlier versions of Connected Cache, this release contains breaking changes that affect both Linux and Windows host machines. Please see the [early preview documentation page](mcc-ent-early-preview.md) for more details.
+
+### Feature updates
+
+- **Metrics and charts in Azure portal**: You can now visualize *Outbound egress* and *Volume by Content type* charts for your cache node on Azure portal. You can also create custom monitoring charts for your cache nodes. This capability is under the **Metrics** tab on Azure portal.
+- **Cache nodes for Windows or Linux host machines**: Cache nodes can now be created and deployed to Windows host machine or Linux host machines by simply choosing the OS when creating cache nodes.
+- **Ubuntu 22.04 LTS**: Cache nodes can now be deployed on Ubuntu 22.04 LTS.
+- **Azure CLI support**: Cache nodes can now be created and managed via Azure CLI.
+- **Proxy**: We added support for unauthenticated proxy and cloud proxy integration.
+- **Updates**: Your cache nodes are now updated automatically and we also added the capability to set each cache node's update ring to govern the cadence of Microsoft Connected Cache container updates.
+
+### Fixes
+- We fixed various bugs to achieve a smoother installation experience.
+
+## Related content
+
+- [Overview of Connected Cache](mcc-ent-edu-overview.md)
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
new file mode 100644
index 0000000000..0f5b02bc00
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -0,0 +1,119 @@
+---
+title: Microsoft Connected Cache for Enterprise and Education troubleshooting
+description: Details on how to troubleshoot common issues for Microsoft Connected Cache for Enterprise.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+manager: naengler
+ms.author: lichris
+author: chrisjlin
+appliesto:
+- ✅ Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise
+ms.date: 10/30/2024
+---
+
+
+# Troubleshoot Microsoft Connected Cache for Enterprise and Education
+
+This article contains instructions on how to troubleshoot different issues you may encounter while using Connected Cache. These issues are categorized by the task in which they may be encountered.
+
+## Steps to obtain an Azure subscription ID
+
+
+[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
+
+## Troubleshooting Azure resource creation
+
+[Connected Cache Azure resource creation](mcc-ent-create-resource-and-cache.md) can be initiated using either the Azure portal user interface or the Azure CLI command set.
+
+If you're encountering an error during resource creation, check that you have the necessary permissions to create Azure resources under your subscription and have filled out all required fields during the resource creation process.
+
+## Troubleshooting cache node configuration
+
+[Configuration of your Connected Cache node](mcc-ent-create-resource-and-cache.md) can be done using either the Azure portal user interface or the Azure CLI command set.
+
+If you're encountering a validation error, check that you have filled out all required configuration fields.
+
+If your configuration doesn't appear to be taking effect, check that you have selected the **Save** option at the top of the configuration page in the Azure portal user interface.
+
+If you have changed the proxy configuration, you will need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
+
+## Troubleshooting cache nodes created during early preview
+
+Cache nodes created and deployed during the [Microsoft Connected Cache for Enterprise and Education early preview](mcc-ent-early-preview.md) should continue to function but can no longer be managed or monitored remotely via the Connected Cache Azure service.
+
+As such, we strongly recommend you [recreate your existing resources in Azure](mcc-ent-create-resource-and-cache.md) and then [redeploy the Connected Cache software to your host machines](mcc-ent-deploy-to-windows.md) using the latest OS-specific installer.
+
+## Troubleshooting cache node deployment to Windows host machine
+
+### Collecting Windows-hosted installation logs
+
+[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts will attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
+
+There are three types of installation log files:
+
+1. **WSL_Mcc_Install_Transcript**: This log file records the lines printed to the PowerShell window when running the installation script
+1. **WSL_Mcc_Install_FromRegisteredTask_Status**: This log file records the high level status that is written during the registered tasks install
+1. **WSL_Mcc_Install_FromRegisteredTask_Transcript**: This log file records the detailed status that is written during the registered tasks install
+
+The Registered Task Transcript is usually the most useful for diagnosing the installation issue.
+
+### WSL2 fails to install with message "A specified logon session does not exist"
+
+If you are encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you are logged on as a local administrator and running the command from an elevated PowerShell window.
+
+### Updating the WSL2 kernel
+
+If the Connected Cache installation is failing due to WSL-related issues, try running `wsl.exe --update` to get the latest version of the WSL kernel.
+
+### Checking if the Connected Cache container is running
+
+Once the Connected Cache software has been successfully deployed to the Windows host machine, you can check if the cache node is running properly by doing the following on the Windows host machine:
+
+1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install
+1. Run `wsl -d Ubuntu-22.04-Mcc-Base` to access the Linux distribution that hosts the Connected Cache container
+1. Run `sudo iotedge list` to show which containers are running within the IoT Edge runtime
+
+If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC**, you can view the status of the IoT Edge security manager using `sudo iotedge system logs -- -f`.
+
+You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`.
+
+### Checking Connected Cache scheduled tasks
+
+Once the Connected Cache container is running, a scheduled task is periodically run under the Connected Cache runtime account to keep WSL from cleaning up the Connected Cache container.
+
+You can use Task Scheduler on the host machine to check the status of this scheduled task.
+
+1. Open Task Scheduler on the host machine
+1. Navigate to the Active Tasks section and double-click on **MCC_Monitor_Task**
+1. Select the scheduled task **MCC_Monitor_Task**
+1. Select the **Triggers** tab and confirm that the Status is **Enabled**
+
+> [!Note]
+> If the password of the runtime account changes, you'll need to update the user in all of the Connected Cache scheduled tasks in order for the Connected Cache node to continue functioning properly.
+
+## Troubleshooting cache node deployment to Linux host machine
+
+[Deploying a Connected Cache node to a Linux host machine](mcc-ent-deploy-to-linux.md) involves running a series of Bash scripts contained within the Linux provisioning package.
+
+Once the Connected Cache software has been successfully deployed to the Linux host machine, you can check if the cache node is running properly by doing the following on the Linux host machine:
+
+1. Run `sudo iotedge list` to show which containers are running within the IoT Edge runtime
+
+If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC**, you can view the status of the IoT Edge security manager using `sudo iotedge system logs -- -f`.
+
+You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`.
+
+## Troubleshooting cache node monitoring
+
+Connected Cache node status and performance can be [monitored using the Azure portal user interface](mcc-ent-monitoring.md).
+
+If the [basic monitoring](mcc-ent-monitoring.md#basic-monitoring) visuals on the Overview tab are showing unexpected or erroneous values, refresh the browser window.
+
+If the issue persists, check that you have configured the Timespan and Cache node filters as desired.
+
+## Diagnose and Solve
+
+You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource will walk you through a few prompts to help narrow down the solution to your issue.
diff --git a/windows/deployment/do/mcc-ent-uninstall-cache-node.md b/windows/deployment/do/mcc-ent-uninstall-cache-node.md
new file mode 100644
index 0000000000..3fde904642
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-uninstall-cache-node.md
@@ -0,0 +1,35 @@
+---
+title: Uninstall Microsoft Connected Cache for Enterprise and Education cache nodes
+description: Details on how to uninstall Microsoft Connected Cache for Enterprise and Education from a host machine.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+ms.author: lichris
+author: chrisjlin
+manager: naengler
+appliesto:
+- ✅ Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 10/30/2024
+---
+
+# Uninstall Connected Cache software from a host machine
+
+This article describes how to uninstall Microsoft Connected Cache for Enterprise and Education caching software from a host machine. These steps should be taken after deleting the cache node in the Azure portal.
+
+## Steps to uninstall Connected Cache from a Windows host machine
+
+1. Launch a PowerShell window *as administrator* and navigate to the Connected Cache installation directory (C:\mcconwsl01 by default)
+1. Run the `uninstallmcconwsl.ps1` script
+
+## Steps to uninstall Connected Cache from a Linux host machine
+
+The `uninstallmcc.sh` script within the provisioning package uninstalls the Connected Cache caching software and all related components, including:
+
+- IoT Edge
+- IoT Edge Agent
+- IoT Edge Hub
+- Connected Cache container
+- Moby CLI
+- Moby engine
diff --git a/windows/deployment/do/mcc-ent-update-cache-node.md b/windows/deployment/do/mcc-ent-update-cache-node.md
new file mode 100644
index 0000000000..40f8c24f4c
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-update-cache-node.md
@@ -0,0 +1,60 @@
+---
+title: Update Microsoft Connected Cache for Enterprise and Education cache nodes
+description: Details on how Microsoft Connected Cache for Enterprise and Education cache nodes are updated by Microsoft.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+ms.author: andyriv
+author: chrisjlin
+manager: naengler
+appliesto:
+- ✅ Windows 11
+- ✅ Supported Linux distributions
+- ✅ Microsoft Connected Cache for Enterprise and Education
+ms.date: 10/30/2024
+---
+# Configure container update frequency for Microsoft Connected Cache for Enterprise and Education
+
+Microsoft Connected Cache for Enterprise and Education caching software is deployed to host machines as a container. The container OS and any software component within the container need to be updated to address security vulnerabilities and improve quality and performance. These Microsoft-published container updates are referred to as "Connected Cache updates" in this article.
+
+Microsoft silently deploys Connected Cache updates to your cache nodes based on the **Update Ring** setting you configure for each cache node.
+
+## Update rings
+
+Connected Cache nodes can be configured to either the `Fast` or `Slow` update ring. If configured to update as part of the Fast ring, the cache node will be silently updated by Microsoft soon after the update is made available. If configured to update as part of the `Slow` ring, the cache node is silently updated by Microsoft within five weeks of the update becoming available.
+
+In other words, configuring cache nodes to update as part of the `Slow` ring provides users with the option to delay the update process until they have validated that the latest Connected Cache update works within their environment. For example, a user could configure a test cache node to update as part of the `Fast` ring and validate that clients can successfully interact with the test cache node after the latest Connected Cache update has been applied. This builds confidence that service won't be interrupted when the production cache nodes are updated as part of the `Slow` ring.
+
+### Update ring options
+
+>[!IMPORTANT]
+> In the event of a critical security patch, Microsoft may elect to initiate a Connected Cache update to your cache node as soon as possible (even if the cache node has been set to the `Slow` Ring). Visit the [Release notes](mcc-ent-release-notes.md) page for a detailed changelog of each Connected Cache update.
+
+#### Fast Ring
+
+All Connected Cache nodes are configured to update as part of the `Fast` ring by default. Connected Cache nodes in the `Fast` ring will be updated soon after an update is made available. The update will silently update cache nodes at a time of day when update traffic is likely to be minimal, such as 3:00 AM (local time) on Saturday.
+
+#### Slow Ring
+
+Configuring a Connected Cache node to update as part of the `Slow` ring provides users with the option to delay Connected Cache software updates until the update can be validated. There are three settings that control when Connected Cache updates will be applied to Connected Cache nodes. All update ring settings can be managed from the Azure portal or through the Azure CLI.
+
+| Setting | Description |
+| --- | --- |
+| Week of the month | 1st to 4th week can be selected. There are three to four months in a year that could have a fifth week. If there's a fifth week, the update could be applied during that fifth week if the day of the week falls near the last day of the month.|
+| Day of the week | Monday through Sunday can be selected. |
+| Time of day | Time of day is based on UTC and a 24 hour clock. |
+
+## Update process
+
+When Microsoft publishes a Connected Cache update, the Connected Cache service attempts to update all Connected Cache nodes based on their **Update Ring** membership. If a cache node can't complete the silent Connected Cache update within 6 hours of starting, an error message is surfaced in the Azure portal.
+
+## Update terminology, criteria, and information
+
+Connected Cache updates are released based on need instead of on a set cadence.
+
+| Update type | Criteria and information |
+| --- | --- |
+| Security | Security updates are the highest priority and are released based on the severity rating of the vulnerability. Updates for [Critical and High](https://nvd.nist.gov/vuln-metrics/cvss) vulnerabilities are released by Microsoft within 60 days of discovery. Updates for [Medium and Low](https://nvd.nist.gov/vuln-metrics/cvss) vulnerabilities are released by Microsoft within 120 days. |
+| Quality | Quality updates fix a specific problem and addresses a noncritical, non-security-related bug. Quality updates could include performance fixes for a specific problem or changes related to cache efficiency or maximum egress for example. Quality updates are released along with security updates or when necessary to ensure proper functioning of the Microsoft Connected Cache software. |
+
+For information on all released Microsoft Connected Cache updates, see the [Connected Cache release notes](mcc-ent-release-notes.md).
diff --git a/windows/deployment/do/mcc-ent-verify-cache-node.md b/windows/deployment/do/mcc-ent-verify-cache-node.md
new file mode 100644
index 0000000000..6d1eacb092
--- /dev/null
+++ b/windows/deployment/do/mcc-ent-verify-cache-node.md
@@ -0,0 +1,46 @@
+---
+title: Verify Microsoft Connected Cache for Enterprise and Education cache node functionality
+description: Details on how to verify functionality of Microsoft Connected Cache for Enterprise and Education cache nodes.
+author: chrisjlin
+ms.author: lichris
+manager: naengler
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: how-to
+ms.date: 10/30/2024
+appliesto:
+- ✅ Windows-hosted Connected Cache cache nodes
+- ✅ Linux-hosted Connected Cache cache nodes
+- ✅ Microsoft Connected Cache for Enterprise and Education
+---
+
+# Verify Connected Cache node functionality
+
+This article describes how to verify that a Microsoft Connected Cache for Enterprise and Education cache node is functioning correctly.
+
+These steps should be taken after deploying Connected Cache software to a [Windows](mcc-ent-deploy-to-windows.md) or [Linux](mcc-ent-deploy-to-linux.md) host machine.
+
+## Steps to verify functionality of Connected Cache node
+
+1. To verify that the Connected Cache container on the host machine is running and reachable, run the following command from the host machine:
+
+ ```powershell
+ wget http://localhost/filestreamingservice/files/7bc846e0-af9c-49be-a03d-bb04428c9bb5/Microsoft.png?cacheHostOrigin=dl.delivery.mp.microsoft.com
+ ```
+
+ If successful, there should be an HTTP response with StatusCode 200.
+
+1. To verify that Windows clients in your network can reach the Connected Cache node, visit the following address from a web browser on a Windows client device:
+
+ `http://[HostMachine-IP-address]/filestreamingservice/files/7bc846e0-af9c-49be-a03d-bb04428c9bb5/Microsoft.png?cacheHostOrigin=dl.delivery.mp.microsoft.com`
+
+ If successful, the Windows client device should begin to download a small image file from the Connected Cache node.
+
+1. To check how much content an individual Windows client has downloaded from a Connected Cache node, open the [Delivery Optimization activity monitor](/microsoft-365-apps/updates/delivery-optimization#viewing-data-about-the-use-of-delivery-optimization) on the Windows client device.
+
+ You should see a donut chart titled **Download Statistics**. If the Windows client has downloaded content from the cache node, you'll see a segment of the donut labeled **From Microsoft cache server**.
+
+## Related content
+
+- [Monitor cache node usage](mcc-ent-monitoring.md)
+- [Troubleshoot cache node](mcc-ent-troubleshooting.md)
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
deleted file mode 100644
index 6264ea32c4..0000000000
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Appendix for MCC for Enterprise and Education
-description: This article contains reference information for Microsoft Connected Cache (MCC) for Enterprise and Education.
-ms.service: windows-client
-ms.subservice: itpro-updates
-ms.topic: reference
-ms.author: carmenf
-author: cmknox
-manager: aaroncz
-ms.reviewer: mstewart
-ms.collection:
- - tier3
- - must-keep
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/23/2024
----
-
-# Appendix
-
-## Steps to obtain an Azure subscription ID
-
-
-[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
-
-### Troubleshooting
-
-If you're not able to sign up for a Microsoft Azure subscription with the **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** error, see the following articles:
-
-- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
-- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
-
-## Hardware specifications
-
-Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache.
-
-### Installing on VMware
-
-Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made. Ensure the VM is turned off before making the following configuration changes:
-
-1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
-1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"** and **"Forged transmits"** are switched to **Yes**.
-
-### Installing on Hyper-V
-
-To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization).
-
-## Diagnostics Script
-
-If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug.
-
-To run this script:
-
-1. Navigate to the following folder in the MCC installation files:
-
- mccinstaller > Eflow > Diagnostics
-
-1. Run the following commands:
-
- ```powershell
- Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
- .\collectMccDiagnostics.ps1
- ```
-
-1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\**\mccdiagnostics\support_bundle_\$timestamp.tar.gz
-
-1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
-
-## IoT Edge runtime
-
-The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices.
-The runtime sits on the IoT Edge device, and performs management and
-communication operations. The runtime performs several functions:
-
-- Installs and update workloads (Docker containers) on the device.
-- Maintains Azure IoT Edge security standards on the device.
-- Ensures that IoT Edge modules (Docker containers) are always running.
-- Reports module (Docker containers) health to the cloud for remote monitoring.
-- Manages communication between an IoT Edge device and the cloud.
-
-For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
-
-## Routing local Windows clients to an MCC
-
-### Get the IP address of your MCC using ifconfig
-
-There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
-
-#### Registry key
-
-You can either set your MCC IP address or FQDN using:
-
-1. Registry key (version 1709 and later):
- `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
-
- "DOCacheHost"=" "
-
- From an elevated command prompt:
-
- ```powershell
- reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
- ```
-
-1. MDM path (version 1809 and later):
-
- `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
-
-1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`.
-
- :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
-
-## Verify content using the DO client
-
-To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:
-
-1. Download a game or application from the Microsoft Store.
-
- :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected.":::
-
-1. Verify downloads came from MCC by one of two methods:
-
- - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*.
-
- :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png":::
-
- - Using the Delivery Optimization Activity Monitor
-
- :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor.":::
-
-## EFLOW
-
-- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows)
-- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
-- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
-- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
-- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
deleted file mode 100644
index 5cc7236b51..0000000000
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ /dev/null
@@ -1,418 +0,0 @@
----
-title: Deploying your cache node
-description: How to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node from the Azure portal.
-ms.service: windows-client
-ms.subservice: itpro-updates
-ms.topic: how-to
-ms.author: carmenf
-author: cmknox
-ms.reviewer: mstewart
-manager: aaroncz
-ms.collection: tier3
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/23/2024
----
-
-# Deploy your cache node
-
-This article describes how to deploy a Microsoft Connected Cache (MCC) for Enterprise and Education cache node.
-
-## Steps to deploy MCC
-
-To deploy MCC to your server:
-
-1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id)
-1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
-1. [Create an MCC Node](#create-an-mcc-node-in-azure)
-1. [Edit Cache Node Information](#edit-cache-node-information)
-1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
-1. [Verify MCC functionality](#verify-mcc-server-functionality)
-1. [Review common Issues](#common-issues) if needed.
-
-### Provide Microsoft with the Azure subscription ID
-
-As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
-
-> [!IMPORTANT]
-> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
-
-For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
-
-### Create the MCC resource in Azure
-
-The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
-
-Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
-
-1. In the Azure portal home page, choose **Create a resource**:
-
- :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red.":::
-
-1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results.
-
- > [!NOTE]
- > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result.
-
-1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource.
-
- :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache.":::
-
- :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace.":::
-
-1. Fill in the required fields to create the MCC resource.
-
- - Choose the subscription that you provided to Microsoft.
- - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group.
- - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
-
- > [!IMPORTANT]
- > Your MCC resource will not be created properly if you do not select **(US) West US**
-
- - Choose a name for the MCC resource.
- - Your MCC resource must not contain the word **Microsoft** in it.
-
- :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace.":::
-
-1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the resource creation.
-
- :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png":::
-
-#### Error: Validation failed
-
-- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**.
- - To resolve this error, go to the previous step and choose **(US) West US**.
-
- :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location.":::
-
-### Create an MCC node in Azure
-
-Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal.
-
-1. After the successful resource creation, select **Go to resource**.
-1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**.
-
- :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red.":::
-
-1. On the **Cache Nodes** blade, select the **Create Cache Node** button.
-
- :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red.":::
-
-1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation.
-
- | Field Name | Expected Value | Description |
- |---|---|---|
- | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. |
-
-1. Enter the information for the **Cache Node** and select the **Create** button.
-
- :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process.":::
-
-If there are errors, the form will provide guidance on how to correct the errors.
-
-Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section.
-
-:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script.":::
-
-#### Edit cache node information
-
-Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node.
-
-:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page.":::
-
-### Install MCC on Windows
-
-Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks:
-
-- Installs the Azure CLI
-- Downloads, installs, and deploys EFLOW
-- Enables Microsoft Update so EFLOW can stay up to date
-- Creates a virtual machine
-- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
-- Configures Connected Cache tuning settings.
-- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
-- Deploys the MCC container to server.
-
-#### Run the installer
-
-1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files.
-
- :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page.":::
-
- The following files are contained in the `mccinstaller.zip` file:
-
- - **installmcc.ps1**: Main installer file.
- - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance.
- - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane.
- - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes.
- - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version.
- - **mccupdate.json**: Used as part of the update script
-
-1. Open Windows PowerShell as administrator then navigate to the location of these files.
-
- > [!NOTE]
- > Ensure that Hyper-V is enabled on your device.
- > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
- > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)'
- >
- > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported.
-
-1. **If you're installing MCC on a local virtual machine**, turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
- 1. Enable nested virtualization:
-
- ```powershell
- Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
- ```
-
- 1. Enable MAC spoofing:
-
- ```powershell
- Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On
- ```
-
-1. Set the execution policy.
-
- ```powershell
- Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
- ```
-
- > [!NOTE]
- > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**.
-
-1. Copy the command from the Azure portal and run it in Windows PowerShell.
-
- :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node.":::
-
- > [!NOTE]
- > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed.
- >
- > Security warning
- > Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1?
- >
- > [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-
-1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.
-
- If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
-
- > [!NOTE]
- > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
-
- If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
-
- If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi.
-
- :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
-
-1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created.
-
- :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
-
-1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
-
- :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
-
- > [!NOTE]
- > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
-
- The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
- For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
-
- :::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
-
- :::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
-
- If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
-
- :::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
-
- If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings.
-
-1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path.
-
-
- :::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
-
- For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommended values for a Branch Office/Small Enterprise deployment.
-
-
- :::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
-
-1. When the installation is complete, you should see the following output (the values below will be your own)
-
- :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
-
-
- :::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
-
-1. Your MCC deployment is now complete.
-
- If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- - After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
- - If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
-
-## Verify MCC server functionality
-
-#### Verify client side
-
-Connect to the EFLOW VM and check if MCC is properly running:
-
-1. Open PowerShell as an Administrator.
-2. Enter the following commands:
-
- ```powershell
- Connect-EflowVm
- sudo -s
- iotedge list
- ```
-
- :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
-If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
-
-```bash
-ping www.microsoft.com
-resolvectl query microsoft.com
-```
-
-See the [common issues](#common-issues) section for more information.
-
-#### Verify server side
-
-To validate that MCC is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server.
-
-```powershell
-wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
-```
-
-A successful test result will display a status code of 200 along with additional information.
-
-:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png":::
-
-:::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png":::
-
-Similarly, enter the following URL from a browser in the network:
-
-`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com`
-
-If the test fails, see the [common issues](#common-issues) section for more information.
-
-### Intune (or other management software) configuration for MCC
-
-For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
-
-:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names.":::
-
-## Common Issues
-
-#### PowerShell issues
-
-If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.`
-
-1. Ensure you're running Windows PowerShell version 5.x.
-
-1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*.
-
-1. Ensure you have Hyper-V enabled:
-
- **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
-
- **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
-
-#### Verify Running MCC Container
-
-Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
-
-```bash
-Connect-EflowVm
-sudo iotedge list
-```
-
-:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
-
-If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
-
-```bash
-sudo journalctl -u iotedge -f
-```
-
-This command will provide the current status of the starting, stopping of a container, or the container pull and start.
-
-:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
-
-> [!NOTE]
-> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
-
-
-### DNS needs to be configured
-
-Run the following IoT Edge install state check:
-
-```bash
-sudo iotedge check --verbose
-```
-
-If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker.
-
-To configure the device to work with your DNS, use the following steps:
-
-1. Use `ifconfig` to find the appropriate NIC adapter name.
-
- ```bash
- ifconfig
- ```
-
-1. Run `nmcli device show ` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**:
-
- ```bash
- nmcli device show eno1
- ```
-
- :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
-
-1. Open or create the Docker configuration file used to configure the DNS server.
-
- ```bash
- sudo nano /etc/docker/daemon.json
- ```
-
-1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`.
-
- ```bash
- { "dns": ["x.x.x.x"]}
- ```
-
-1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command:
-
- ```bash
- sudo chmod 555 /etc/docker/daemon.json
- ```
-
-1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge.
-
- ```bash
- sudo systemctl restart docker
- sudo systemctl daemon-reload
- sudo restart IoTEdge
- ```
-
-### Resolve DNS issues
-
-Follow these steps if you see a DNS error when trying to resolve hostnames during the provisioning or download of container:
-Run `Get-EflowVmEndpoint` to get interface name
-
-Once you get the name:
-
-```bash
-Set-EflowVmDNSServers -vendpointName "interface name from above" -dnsServers @("DNS_IP_ADDRESS")
-Stop-EflowVm
-Start-EflowVm
-```
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
deleted file mode 100644
index 1e33e85158..0000000000
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Requirements for MCC for Enterprise and Education
-description: Overview of prerequisites and recommendations for using Microsoft Connected Cache (MCC) for Enterprise and Education.
-ms.service: windows-client
-ms.subservice: itpro-updates
-ms.topic: conceptual
-ms.author: carmenf
-author: cmknox
-manager: aaroncz
-ms.reviewer: mstewart
-ms.collection: tier3
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- - ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/23/2024
----
-
-# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
-
-> [!NOTE]
-> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
-
-## Enterprise requirements for MCC
-
-1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
-
- Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
-
- The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
-1. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
-
- > [!NOTE]
- > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
-
- **EFLOW requires Hyper-V support**
- - On Windows client, enable the Hyper-V feature.
- - On Windows Server, install the Hyper-V role and create a default network switch.
- - For more requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
-
- Disk recommendations:
- - Using an SSD is recommended as cache read speed of SSD is superior to HDD
-
- NIC requirements:
- - Multiple NICs on a single MCC instance aren't supported.
- - 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
- - For best performance, NIC and BIOS should support SR-IOV.
-
- VM networking:
- - An external virtual switch to support outbound and inbound network communication (created during the installation process)
-1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
-
-## Sizing recommendations
-
-| Component | Branch Office / Small Enterprise | Large Enterprise |
-| -- | --- | --- |
-| OS| Windows Server 2019*/2022 Windows 11
-- ✅ Windows 10
-- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 05/23/2024
----
-
-
-# Uninstall MCC
-
-Contact the MCC Team before uninstalling to let us know if you're facing issues.
-
-This script removes the following items:
-
-1. EFLOW + Linux VM
-1. IoT Edge
-1. Edge Agent
-1. Edge Hub
-1. MCC
-1. Moby CLI
-1. Moby Engine
-
-To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT
-Edge LTS \> Uninstall
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index 1b038f6404..807fdb43d0 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -27,8 +27,8 @@ All cache node configuration takes place within Azure portal. This article outli
| Field Name | Expected Value| Description |
| -- | --- | --- |
| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
-| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
-| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
+| **Server IP address** | IPv4 address | IP address of your Microsoft Connected Cache server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
+| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your Connected Cache based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
## Storage
@@ -42,6 +42,6 @@ All cache node configuration takes place within Azure portal. This article outli
| Field Name | Expected Value| Description |
| -- | --- | --- |
-| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
+| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the Connected Cache server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index 4b56a710bb..fbe4478bf8 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -84,7 +84,7 @@ To set up and enable BGP routing for your cache node, follow the steps below:
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
- If you choose **Manual routing**, enter your address range/CIDR blocks.
- - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for MCC. MCC will be automatically assigned as the same ASN as the neighbor.
+ - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for Microsoft Connected Cache. Connected Cache will be automatically assigned as the same ASN as the neighbor.
> [!NOTE]
> **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established.
@@ -96,12 +96,12 @@ Once the user executes the cache server provisioning script, resources are creat
#### IoT Edge
-IoT Edge performs several functions important to manage MCC on your edge device:
+IoT Edge performs several functions important to manage Connected Cache on your edge device:
-1. Installs and updates MCC on your edge device.
+1. Installs and updates Connected Cache on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
-1. Ensures that MCC is always running.
-1. Reports MCC health and usage to the cloud for remote monitoring.
+1. Ensures that Connected Cache is always running.
+1. Reports Connected Cache health and usage to the cloud for remote monitoring.
#### Docker container engine
@@ -121,7 +121,7 @@ There are five IDs that the device provisioning script takes as input in order t
#### Provision your server
> [!IMPORTANT]
-> Have you correctly mounted your disk? Your MCC will not be successfully installed without this important step. Before provisioning your server, ensure your disk is correctly mounted by following the instructions here: [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
+> Have you correctly mounted your disk? Your Connected Cache will not be successfully installed without this important step. Before provisioning your server, ensure your disk is correctly mounted by following the instructions here: [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
@@ -145,8 +145,8 @@ There are five IDs that the device provisioning script takes as input in order t
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
-| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
-| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
+| **Server IP address** | IPv4 address | IP address of your Connected Cache server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
+| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your Connected Cache based on the specifications of your hardware. For example, 10,000 Mbps.|
| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
### Storage fields
@@ -164,6 +164,6 @@ There are five IDs that the device provisioning script takes as input in order t
| Field Name | Expected Value| Description |
|---|---|---|
-| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
+| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the Connected Cache server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index d4b3478551..a5c2e9f782 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -28,7 +28,7 @@ sections:
- question: What will Microsoft Connected Cache do for me? How will it impact our customers?
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
- question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network?
- answer: MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
+ answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
- question: Is there a non-disclosure agreement to sign?
answer: No, a non-disclosure agreement isn't required.
- question: What are the prerequisites and hardware requirements?
@@ -79,7 +79,7 @@ sections:
- question: Is IPv6 supported?
answer: No, we don't currently support IPV6. We plan to support it in the future.
- question: Is Microsoft Connected Cache stable and reliable?
- answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
+ answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of Connected Cache before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What CDNs does Microsoft Connected Cache pull content from?
@@ -99,7 +99,7 @@ sections:
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender `microsoft-noreply@microsoft.com`.
- question: I noticed I can set up BGP for routing. How does BGP routing work for Microsoft Connected Cache?
answer: BGP routing can be set up as an automatic method of routing traffic. To learn more about how BGP is used with Microsoft Connected Cache, see [BGP Routing](mcc-isp-create-provision-deploy.md#bgp-routing).
- - question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
- answer: Even when the quota of 8k messages is hit, the MCC functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
+ - question: I have an active Connected Cache, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my Connected Cache performance and should I be concerned?
+ answer: Even when the quota of 8k messages is hit, the Connected Cache functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. Connected Cache will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your Connected Cache and the daily quota was reached, your Connected Cache might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md
index 41ecaaaf1c..46fd985ffc 100644
--- a/windows/deployment/do/mcc-isp-overview.md
+++ b/windows/deployment/do/mcc-isp-overview.md
@@ -1,6 +1,6 @@
---
-title: MCC for ISPs Overview
-description: Overview of Microsoft Connected Cache for ISPs. Learn about how MCC works, supported scenarios, and supported content.
+title: Microsoft Connected Cache for ISPs Overview
+description: Overview of Microsoft Connected Cache for ISPs. Learn about how Connected Cache works, supported scenarios, and supported content.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview
@@ -18,7 +18,7 @@ ms.date: 05/23/2024
# Microsoft Connected Cache for ISPs overview
-Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. MCC can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
+Microsoft Connected Cache for Internet Service Providers (preview) is a free software-only caching solution that delivers Microsoft content. Connected Cache can be deployed free of charge to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, Connected Cache can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Supported scenarios
@@ -41,40 +41,40 @@ For the full list of content endpoints that Microsoft Connected Cache for ISPs s
### Are you already peering with 8075?
-MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
+Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
:::image type="content" source="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png" alt-text="Chart containing Peering vs Cache Content Traffic." lightbox="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png":::
-## How MCC works
+## How Connected Cache works
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
-The following steps describe how MCC is provisioned and used:
+The following steps describe how Connected Cache is provisioned and used:
-1. The Azure portal is used to create and manage MCC nodes.
+1. The Azure portal is used to create and manage Connected Cache nodes.
-1. A shell script is used to provision the server and deploy the MCC application.
+1. A shell script is used to provision the server and deploy the Connected Cache application.
-1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
+1. A combination of the Azure portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the Connected Cache server.
- The publicly accessible IPv4 address of the server is configured on the portal.
- - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
+ - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the Connected Cache node.
- - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
+ - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the Connected Cache node.
> [!NOTE]
> Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
-1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
+1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding Connected Cache node.
-1. Microsoft clients make the range requests for content from the MCC node.
+1. Microsoft clients make the range requests for content from the Connected Cache node.
-1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
+1. A Connected Cache node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will be served from cache.
-1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
+1. If the Connected Cache node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
### Hardware recommendation
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index ba0eda79c2..dbced5230c 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -36,7 +36,7 @@ During sign-up, a verification code is sent to your NOC email address present in
#### Unable to re-sign up
-Delete any MCC resource that you're using before you resign up for the service. Deleting any existing MCC resource unlocks your ASN, which allows you to successfully sign up.
+Delete any Microsoft Connected Cache resource that you're using before you resign up for the service. Deleting any existing Connected Cache resource unlocks your ASN, which allows you to successfully sign up.
### Cache Node Errors
@@ -100,9 +100,9 @@ iotedge check -verbose
## Diagnose and Solve Problems
-If this article isn't resolving the issue you're facing with your cache node, you can use the **Diagnose and solve problems** functionality within your MCC resource to continue troubleshooting. **Diagnose and solve problems** contains solutions to most common problems that users might face as they onboard.
+If this article isn't resolving the issue you're facing with your cache node, you can use the **Diagnose and solve problems** functionality within your Connected Cache resource to continue troubleshooting. **Diagnose and solve problems** contains solutions to most common problems that users might face as they onboard.
-You can find **Diagnose and solve problems** on the left pane within your MCC resource.
+You can find **Diagnose and solve problems** on the left pane within your Connected Cache resource.
:::image type="content" source="images/mcc-isp-diagnose-solve.png" alt-text="A screenshot of Azure portal showing the Diagnose and Solve problems tab on the left hand pane of Azure portal." lightbox="images/mcc-isp-diagnose-solve.png":::
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index e5140cb315..58f6d51180 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -33,7 +33,7 @@ To view which version your cache nodes are currently on, navigate to the **Cache
There are two main steps required to uninstall your cache node:
1. Remove your cache node from Azure portal
-1. Run the uninstall script to cleanly remove MCC from your server
+1. Run the uninstall script to cleanly remove Microsoft Connected Cache from your server
You must complete both steps to ensure a clean uninstall of your cache node.
@@ -50,7 +50,7 @@ The **uninstallmcc.sh** script removes the following components:
- IoT Edge
- Edge Agent
- Edge Hub
-- MCC
+- Connected Cache
- Moby CLI
- Moby engine
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index c43bf3738f..1eed1cb75c 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -49,7 +49,7 @@ Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the *
It can take a few minutes for the container to deploy after you've saved the configuration.
-To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server.
+To validate a properly functioning Microsoft Connected Cache, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server.
```bash
wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 5fafc85e89..f3d3079534 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -25,7 +25,7 @@ The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install
#### NIC requirements
-- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
+- Multiple NICs on a single Microsoft Connected Cache instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
@@ -55,9 +55,9 @@ Change the following settings to maximize the egress in virtual environments:
1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations:
- - The BIOS of the MCC virtual machine
- - The network card properties of the MCC virtual machine
- - The hypervisor for the MCC virtual machine
+ - The BIOS of the Connected Cache virtual machine
+ - The network card properties of the Connected Cache virtual machine
+ - The hypervisor for the Connected Cache virtual machine
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index ff0a665d2e..2594e6e96a 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,6 +1,6 @@
---
title: Microsoft Connected Cache for ISPs
-description: This article contains details about the early preview for Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
+description: This article contains details about the early preview for Microsoft Connected Cache for Internet Service Providers (ISPs).
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@@ -10,7 +10,7 @@ ms.reviewer: mstewart
manager: aaroncz
ms.localizationpriority: medium
ms.collection: tier3
-ms.date: 05/23/2024
+ms.date: 10/30/2024
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -20,594 +20,20 @@ appliesto:
# Microsoft Connected Cache for Internet Service Providers (early preview)
> [!IMPORTANT]
-> This document is for Microsoft Connected Cache (early preview). Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, we highly encourage you to onboard onto our Public Preview program. For instructions on signing up and onboarding please visit [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md).
+> Microsoft Connected Cache for ISPs is now in Public Preview - for our early preview customers, the early preview version is no longer supported. We highly encourage you to onboard onto our Public Preview program. For instructions on signing up and onboarding, visit [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md).
## Overview
-Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
+Microsoft Connected Cache preview is a software-only caching solution that delivers Microsoft content within operator networks. Connected Cache can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. For more information, visit [Microsoft Connected Cache for ISP](mcc-isp-overview.md).
-Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure.
-
-## How MCC works
-
-:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
-
-The following steps describe how MCC is provisioned and used:
-
-1. The Azure Management Portal is used to create and manage MCC nodes.
-
-1. A shell script is used to provision the server and deploy the MCC application.
-
-1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
-
- - The publicly accessible IPv4 address of the server is configured on the portal.
-
- - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node.
-
- - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node.
-
- > [!NOTE]
- > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
-
-1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
-
-1. Microsoft clients make the range requests for content from the MCC node.
-
-1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
-
-1. Subsequent requests from end-user devices for content will be served from cache.
-
-1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
-
-## ISP requirements for MCC
Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
-
-
-
-
-
-
-## Verify properly functioning MCC server
-
-### Verify client side
-
-Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers):
-
-```bash
-sudo iotedge list
-```
-
-:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png":::
-
-If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command:
-
-```bash
-sudo journalctl -u iotedge -f
-```
-
-For example, this command provides the current status of the starting and stopping of a container, or the container pull and start:
-
-:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png":::
-
-### Verify server side
-
-It can take a few minutes for the container to deploy.
-
-To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server.
-
-```bash
-wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
-```
-
-The following screenshot shows a successful test result:
-
-:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png":::
-
-Similarly, enter the following URL into a web browser on any device on the network:
-
-```http
-http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
-```
-
-If the test fails, for more information, see the [common issues](#common-issues) section.
-
-## Common Issues
-
-### Microsoft Connected Cache is no longer serving traffic
-If you did not migrate your cache node then your cache node may still be on early preview version.
-Microsoft Connected Cache for Internet Service Providers is now in Public Preview! To get started, visit [Azure portal](https://www.portal.azure.com) to sign up for Microsoft Connected Cache for Internet Service Providers. Please see [Operator sign up and service onboarding for Microsoft Connected Cache](mcc-isp-signup.md) for more information on the requirements for sign up and onboarding.
-` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**:
-
- ```bash
- nmcli device show eno1
- ```
-
- :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
-
-1. Open or create the Docker configuration file used to configure the DNS server.
-
- ```bash
- sudo nano /etc/docker/daemon.json
- ```
-
-1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`.
-
- ```bash
- { "dns": ["x.x.x.x"]}
- ```
-
-1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command:
-
- ```bash
- sudo chmod 555 /etc/docker/daemon.json
- ```
-
-1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge.
-
- ```bash
- sudo systemctl restart docker
- sudo systemctl daemon-reload
- sudo restart IoTEdge
- ```
-
-
-
-
-
-
-
-
-## Uninstalling MCC
-
-In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls MCC and all the related components. Before you run this script, contact the MCC team. Only run it if you're facing issues with MCC installation.
-
-> [!WARNING]
-> Be cautious before running this script. It will also erase existing IoT workflows in this VM.
-
-The **uninstallmcc.sh** script removes the following components:
-
-- IoT Edge
-- Edge Agent
-- Edge Hub
-- MCC
-- Moby CLI
-- Moby engine
-
-To run the script, use the following commands:
-
-```bash
-sudo chmod +x uninstallmcc.sh
-sudo ./uninstallmcc.sh
-```
-
-## Appendix
-
-### Steps to obtain an Azure subscription ID
-
-
-[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
-
-### Performance of MCC in virtual environments
-
-In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change the following two settings:
-
-1. Enable **SR-IOV** in the following three locations:
-
- - The BIOS of the MCC VM
- - The MCC VM's network card properties
- - The hypervisor for the MCC VM
-
- Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
-
-2. Enable "high performance" in the BIOS instead of energy savings. Microsoft has found this setting nearly doubled egress in a Microsoft Hyper-V deployment.
-
-### Grant other users access to manage your MCC
-
-More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource.
-
-For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*.
+
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index cda14c3e5e..34e5020572 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -113,8 +113,8 @@ sections:
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
- Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
- The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
+ Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) servers, which are hosted within Internet Service Provider (ISP) networks.
+ The network of CDNs and Microsoft Connected Caches allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies?
answer: |
The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
@@ -131,8 +131,8 @@ sections:
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: Where does Delivery Optimization get content from first?
answer: |
- When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), the client connects to both MCC and peers in parallel. There is no prioritization between the two. Once downloading starts in parallel, Delivery Optimization
- will taper off requests to the HTTP source (CDN or MCC) when the peer connections are able to reach the target download speed. For background downloads, Delivery Optimization will drop HTTP connections if peers are meeting the minimum QoS speed. To manage delaying the default behavior
+ When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, the client connects to both Connected Cache and peers in parallel. There is no prioritization between the two. Once downloading starts in parallel, Delivery Optimization
+ will taper off requests to the HTTP source (CDN or Connected Cache) when the peer connections are able to reach the target download speed. For background downloads, Delivery Optimization will drop HTTP connections if peers are meeting the minimum QoS speed. To manage delaying the default behavior
there are a collection of policies that can be used. For more information, see [Delivery Optimization delay policies](waas-delivery-optimization-reference.md#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources).
- question: Does Delivery Optimization use multicast?
answer: |
diff --git a/windows/deployment/do/waas-delivery-optimization-monitor.md b/windows/deployment/do/waas-delivery-optimization-monitor.md
index ed6710932b..c8330f0384 100644
--- a/windows/deployment/do/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/waas-delivery-optimization-monitor.md
@@ -24,7 +24,7 @@ To monitor Delivery Optimization, you can use either the Windows Update for Busi
## Monitor with Windows Update for Business Delivery Optimization report
-Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days.
+Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache, HTTP source/CDN distribution over the past 28 days.
:::image type="content" source="../update/media/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox= "../update/media/wufb-do-overview.png":::
@@ -49,7 +49,7 @@ For details, see [Windows Update for Business Delivery Optimization Report](/win
| BytesFromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, **which includes BytesFromCacheServer** |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
-| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
+| BytesFromCacheServer | Total number of bytes received from cache server (Connected Cache) |
| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
| BytesFromGroupPeers | Total number of bytes received from peers found in the group. (Note: Group mode is LAN + Group. If peers are found on the LAN, those bytes are registered in 'BytesFromLANPeers'.) |
| BytesFromInternetPeers | Total number of bytes received from internet peers |
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index a8f8a4b517..59d11c87f8 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -96,19 +96,19 @@ More options available that control the impact Delivery Optimization has on your
#### Policies to prioritize the use of peer-to-peer and cache server sources
-When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to both MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source, which is the default behavior.
+When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to both Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization will automatically fall back to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or Connected Cache sources by delaying the immediate fallback to HTTP source, which is the default behavior.
##### Peer-to-peer delay fallback settings
- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
-##### Microsoft Connected Cache (MCC) delay fallback settings
+##### Microsoft Connected Cache delay fallback settings
- [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server.
- [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server.
-**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server.
+**If both peer-to-peer and Connected Cache are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This setting allows Delivery Optimization to discover peers first then recognize the fallback setting for the Connected Cache cache server.
#### System resource usage
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 735d4b1965..4d8f36f526 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -24,7 +24,7 @@ ms.date: 05/23/2024
Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional.
-To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
+To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the client connects to Connected Cache and peers in parallel. If the desired content can't be obtained from Connected Cache or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content.
You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).
@@ -47,7 +47,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Client
-| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
+| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -66,14 +66,14 @@ The following table lists the minimum Windows 10 version that supports Delivery
#### Windows Server
-| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
+| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|----------------|--------------------------|----------------|----------|----------------|
| Windows Update | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Edge Browser Updates | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
#### Linux (Public Preview)
-| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |
+| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache |
|------------------------|----------------|-----------------|--------------|---------------|
| Device Update for IoT Hub | Ubuntu 18.04, 20.04 / Debian 9, 10 | :heavy_check_mark: | | :heavy_check_mark: |
> [!NOTE]
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index a1cd9a0ca8..ac5b29ba36 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -1,6 +1,6 @@
---
title: Microsoft Connected Cache overview
-description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
+description: This article provides information about Microsoft Connected Cache, a software-only caching solution.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 05/23/2024
+ms.date: 10/30/2024
---
# What is Microsoft Connected Cache?
@@ -24,7 +24,7 @@ ms.date: 05/23/2024
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings:
- Microsoft Connected Cache for Internet Service Providers
-- Microsoft Connected Cache for Enterprise and Education (early preview)
+- Microsoft Connected Cache for Enterprise and Education (preview)
Both products are created and managed in the cloud portal.
@@ -33,16 +33,16 @@ Both products are created and managed in the cloud portal.
> [!NOTE]
> Microsoft Connected Cache for Internet Service Providers is now in public preview. To onboard, follow the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article.
-Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
+Microsoft Connected Cache for Internet Service Providers is currently in preview. Connected Cache can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, Connected Cache can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
-## Microsoft Connected Cache for Enterprise and Education (early preview)
+## Microsoft Connected Cache for Enterprise and Education (preview)
> [!NOTE]
-> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
+> Microsoft Connected Cache for Enterprise and Education is now in public preview. To get started, follow the instructions in the [Create Microsoft Connected Cache Azure resource and cache nodes](mcc-ent-create-resource-and-cache.md) article.
-Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
+Microsoft Connected Cache for Enterprise and Education is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. Connected Cache can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
-Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For Microsoft Connected Cache in Configuration Manager (generally available starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache)
+Microsoft Connected Cache for Enterprise and Education (preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For Microsoft Connected Cache in Configuration Manager (generally available starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache)
## Next steps
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 496d1240c1..607817cbf7 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -22,9 +22,9 @@ This article contains information about what's new in Delivery Optimization, a p
## Microsoft Connected Cache (early preview)
-Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
+Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content within Enterprise networks. Connected Cache can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
-For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
+For more information about Connected Cache, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md).
There are two different versions:
@@ -39,12 +39,12 @@ There are two different versions:
- -HealthCheck: Provides an overall check of the device setup to ensure Delivery Optimization communication is possible on the device.
- -P2P: Provides output specific to P2P settings, efficiency, and errors.
-- -MCC: Provides output specific to MCC settings and verifies the client can access the cache server.
+- -MCC: Provides output specific to Connected Cache settings and verifies the client can access the cache server.
### Windows 11 22H2
- New setting: Customize VPN detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your VPN. By using the new VpnKeywords setting, you can add keywords for Delivery Optimization to use to detect when a VPN is in use. You can find this configuration **[VPN Keywords](waas-delivery-optimization-reference.md#vpn-keywords)** in Group Policy or MDM under **DOVpnKeywords**.
-- New setting: Use the disallow downloads from a connected cache server, when a VPN is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from MCC over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn)** in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
+- New setting: Use the disallow downloads from a connected cache server, when a VPN is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from Connected Cache over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn)** in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**.
- Delivery Optimization introduced support for receiver side ledbat (rLEDBAT).
- New setting: Local Peer Discovery, a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** in Group Policy or MDM **DORestrictPeerSelectionBy**. This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD).
diff --git a/windows/deployment/images/mcc-ent-cache-node-summary.png b/windows/deployment/images/mcc-ent-cache-node-summary.png
new file mode 100644
index 0000000000..596b382728
Binary files /dev/null and b/windows/deployment/images/mcc-ent-cache-node-summary.png differ
diff --git a/windows/deployment/images/mcc-ent-key-metric-charts.png b/windows/deployment/images/mcc-ent-key-metric-charts.png
new file mode 100644
index 0000000000..b1d05e6103
Binary files /dev/null and b/windows/deployment/images/mcc-ent-key-metric-charts.png differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 2038eeeae2..1385906e3f 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -15,7 +15,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 08/27/2024
+ ms.date: 11/05/2024
ms.localizationpriority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -34,6 +34,8 @@ landingContent:
url: volume-activation/plan-for-volume-activation-client.md
- text: Windows compatibility cookbook
url: /windows/compatibility/
+ - text: Cloud-native Windows
+ url: /mem/solutions/cloud-native-endpoints/cloud-native-endpoints-overview
- title: Prepare
linkLists:
diff --git a/windows/deployment/update/images/waas-active-hours.png b/windows/deployment/update/images/waas-active-hours.png
deleted file mode 100644
index c262c302ed..0000000000
Binary files a/windows/deployment/update/images/waas-active-hours.png and /dev/null differ
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 8cf6fab2bd..cc988cacb3 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 10/15/2024
+ms.date: 11/06/2024
---
# Update Windows installation media with Dynamic Update
@@ -121,7 +121,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe
### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index 50b404df35..0e1a4c7d47 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
-appliesto:
+appliesto:
- ✅ Windows 11
- ✅ Windows 10
ms.date: 12/31/2017
@@ -16,7 +16,7 @@ ms.date: 12/31/2017
# Policies for update compliance, activity, and user experience
-Keeping devices up to date is the best way to keep them working smoothly and securely.
+Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@@ -94,7 +94,7 @@ options must be **Disabled** in order to take advantage of intelligent active ho
If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update
velocity:
-- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
+- [Delay automatic reboot](waas-restart.md#delay-automatic-restart). While it's possible to set the system to delay restarts for users who are logged in, this setting might delay an update indefinitely if a user is always either logged in or shut down. Instead, we recommend setting the following polices to **Disabled**:
- **Turn off auto-restart during active hours**
- **No auto-restart with logged on users for scheduled automatic updates**
@@ -110,7 +110,7 @@ updates will occur, so we recommend that you set this policy to **Disabled**, to
- [Update/EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule)
- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you're using Microsoft Intune, setting the value to [Reset to Default](/mem/intune/protect/windows-update-settings#user-experience-settings).
-- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
+- **Allow auto Windows Update to download over metered networks**. Since more devices primarily use cellular data and don't have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting doesn't allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they're connected to the internet or not, provided they have cellular service.
> [!IMPORTANT]
> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies:
@@ -119,7 +119,7 @@ this value to **10**.
>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict.
> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We
recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins.
-> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
+> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours.
### Power policies
@@ -166,7 +166,7 @@ The default timeout on devices that support traditional sleep is set to three ho
## Old or conflicting policies
-Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
+Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
> [!IMPORTANT]
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
@@ -174,7 +174,7 @@ Each release of Windows client can introduce new policies to make the experience
As administrators, you have set up and expect certain behaviors, so we expressly don't remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected.
-> [!IMPORTANT]
+> [!IMPORTANT]
> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up:
> - Windows updates: Group Policy settings take precedence over MDM.
> - Microsoft Intune: If you set different values for the same policy on two different groups, you will
@@ -194,4 +194,4 @@ Updates** rather than setting a deferral policy. You can choose a longer period
- **Pause Quality Updates Start Time**. Set to **Disabled** unless there's a known issue requiring time for a resolution.
- **Deadline No Auto Reboot**. Default is **Disabled - Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart.
-There are also additional policies are no longer supported or have been superseded.
+There are also additional policies that are no longer supported or have been superseded.
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 46c69eb5b6..5b4b486236 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,6 +1,6 @@
---
title: Manage device restarts after updates
-description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows update is installed.
+description: Use group policy settings, mobile device management (MDM), or registry to configure when devices will restart after a Windows update is installed.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@@ -14,38 +14,42 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 10/04/2024
+ms.date: 10/25/2024
---
# Manage device restarts after updates
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2)
-You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts won't occur, or you can do both.
+You can use group policy settings, mobile device management (MDM), or the Windows registry to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts shouldn't occur, or you can do both.
+
+> [!NOTE]
+> Directly editing the Windows registry isn't recommended.
## Schedule update installation
-In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
+In group policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time.
-To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation occurs during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+To set the time, go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then use **Scheduled install time** to enter a time. Alternatively, you can specify that installation occurs during the automatic maintenance time. To configure this alternative method, use **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**.
-**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+The setting to **Always automatically restart at the scheduled time** forces a restart after the specified installation time. It lets you configure a timer to warn a signed-in user that a restart is going to occur.
-While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
+While not recommended, you can achieve the same result with the Windows registry. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and set the install time with `ScheduledInstallTime`. Enable `AlwaysAutoRebootAtScheduledTime` and specify the delay in minutes through `AlwaysAutoRebootAtScheduledTimeMinutes`. Similar to group policy, `AlwaysAutoRebootAtScheduledTimeMinutes` sets the timer to warn a signed-in user that a restart is going to occur.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
-## Delay automatic reboot
+## Delay automatic restart
-When **Configure Automatic Updates** is enabled in Group Policy, you can also enable one of the following policies to delay an automatic reboot after update installation:
+When you enable **Configure Automatic Updates** in group policy, you can also enable one of the following policies to delay an automatic restart after update installation:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
-- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device restarts at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4 - Auto download and schedule the install**.
> [!NOTE]
-> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
+> When using Remote Desktop Protocol (RDP) connections, only active RDP sessions are considered signed-in users. Devices that don't have locally signed-in users, or active RDP sessions, are restarted.
-You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it overrides this setting.
+You can also use the Windows registry, to prevent automatic restarts when a user is signed in. Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`, set `AuOptions` to `4` and enable `NoAutoRebootWithLoggedOnUsers`. As with group policy, if a user schedules the restart in the update notification, it overrides this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
@@ -53,166 +57,177 @@ For a detailed description of these registry keys, see [Registry keys used to ma
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update occur outside of the active hours.
-By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
+By default, active hours are from 8 AM to 5 PM on PCs. Users can manually change the active hours.
-Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range is counted from the active hours start time.
+You can also specify the max active hours range. The specified range is counted from the active hours start time.
-Administrators can use multiple ways to set active hours for managed devices:
+### Configure active hours with group policy
-- You can use Group Policy, as described in the procedure that follows.
-- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
-- While not recommended, you can also configure active hours, as described in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
+To configure active hours using group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
-### Configuring active hours with Group Policy
+:::image type="content" source="images/waas-active-hours-policy.png" alt-text="A screenshot of the group policy setting to 'Turn off auto-restart for updates during active hours' set to Enabled and the default active hours specified." lightbox="images/waas-active-hours-policy.png":::
-To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
+### Configure active hours with MDM
-
+To configure active hours, MDM uses the following settings in the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update):
-### Configuring active hours with MDM
+- [ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#activehoursstart)
+- [ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#activehoursend)
+- [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange)
-MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) to configure active hours.
+### Configure active hours through the Windows registry
-### Configuring active hours through Registry
-
-This method isn't recommended, and should only be used when you can't use Group Policy or MDM.
-Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
+This method isn't recommended, and should only be used when you can't use group policy or MDM. Any settings configured through the registry might conflict with any existing configuration that uses any of the other methods.
Configure active hours by setting a combination of the following registry values:
-Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours.
+Under `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate` use `SetActiveHours` to enable or disable active hours and `ActiveHoursStart` and `ActiveHoursEnd` to specify the range of active hours.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
->[!NOTE]
->To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
->
->
+> [!TIP]
+> To manually configure active hours on a device, go to **Settings** > **Windows Update** > **Advanced options** and select **Active hours**.
-### Configuring active hours max range
+### Configure active hours maximum range
-With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time.
+You can specify the maximum active hours range that users can set. This option gives you flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updates to install. The maximum range is calculated from the active hours start time.
-To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**.
+To configure the maximum range for active hours through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the setting to **Specify active hours range for auto-restarts**.
-To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange).
+To configure the maximum range for active hours through MDM, use [ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#activehoursmaxrange).
## Limit restart delays
-After an update is installed, Windows attempts automatic restart outside of active hours. If the restart doesn't succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between 2 and 14.
+After Windows installs an update, it attempts to automatically restart outside of active hours. If the restart doesn't succeed after a default period of seven days, the user sees a notification that a restart is required. To change the delay, use the setting to **Specify deadline before auto-restart for update installation**. The minimum value is two days and the maximum value is two weeks (14 days).
## Control restart notifications
### Display options for update notifications
-Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
+You can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed.
-**0** (default) - Use the default Windows Update notifications
-**1** - Turn off all notifications, excluding restart warnings
-**2** - Turn off all notifications, including restart warnings
+To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy for **Display options for update notifications**. Configure the following values:
-To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
+- `0` (default): Use the default Windows Update notifications.
+- `1`: Turn off most notifications but keep restart warnings.
+- `2`: Turn off all notifications including restart warnings.
-Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured.
+To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
-To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
+Starting in Windows 11, version 22H2, **Apply only during active hours** was added as another option for **Display options for update notifications**. When you select **Apply only during active hours**, the notifications are only disabled during active hours when you use options `1` or `2`. To ensure that the device stays updated, a notification is still shown during active hours if you select **Apply only during active hours**, and once a deadline is reached when you configure [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md).
-### Auto restart notifications
+To configure this behavior through MDM, use [UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#updatenotificationlevel).
-Administrators can override the default behavior for the auto restart required notification. By default, this notification dismisses automatically. This setting was added in Windows 10, version 1703.
+### Automatic restart notifications
-To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
+You can override the default behavior for the automatic restart required notification. By default, this notification dismisses automatically.
-To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartRequiredNotificationDismissal)
+- To configure this behavior through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the policy to **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
-You can also configure the period prior to an update that this notification shows up. The default value is 15 minutes.
+- To configure this behavior through MDM, use [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-csp-update#autorestartrequirednotificationdismissal).
-To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+You can also configure the period before an update that this notification shows up. The default value is 15 minutes.
-To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-AutoRestartNotificationSchedule).
+- To change it through group policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes.
+- To change it through MDM, use [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-csp-update#autorestartnotificationschedule).
In some cases, you don't need a notification to show up.
-To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**.
+- To do so through group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the setting to **Turn off auto-restart notifications for update installations**.
-To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable).
+- To do so through MDM, use [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-csp-update#setautorestartnotificationdisable).
-### Scheduled auto restart warnings
+### Scheduled automatic restart warnings
-Since users aren't able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled restart. You can also configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work.
+Since users aren't able to postpone a scheduled restart once the deadline is reached, you can configure a warning reminder before the scheduled restart. You can also configure a warning before the restart, to notify users once the restart is imminent and allow them to save their work.
-To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto restart can be configured by **Warning (mins)**.
+To configure both through group policy, find the setting to **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning before an imminent automatic restart can be configured by **Warning (mins)**.
-In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleRestartWarning) and the auto restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](/windows/client-management/mdm/policy-configuration-service-provider#update-ScheduleImminentRestartWarning).
+In MDM, to configure the warning reminder, use [ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#schedulerestartwarning). To configure the automatic restart imminent warning, use [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#scheduleimminentrestartwarning).
### Engaged restart
-Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows auto-restarts outside of working hours. Once the default seven day period ends, Windows transitions to user scheduled restarts.
-The following settings can be adjusted for engaged restart:
-* Period of time before auto restart transitions to engaged restart.
-* The number of days that users can snooze engaged restart reminder notifications.
-* The number of days before a pending restart automatically executes outside of working hours.
+You can adjust the following settings for engaged restart:
-In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**.
+- Period of time before automatic restart transitions to engaged restart.
-In MDM, use [**Update/EngagedRestartTransitionSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](/windows/client-management/mdm/policy-configuration-service-provider#update-EngagedRestartDeadline) respectively.
+- The number of days that users can snooze engaged restart reminder notifications.
-## Group Policy settings for restart
+- The number of days before a pending restart automatically executes outside of working hours.
-In the Group Policy editor, you'll see policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+In group policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and use the setting to **Specify engaged restart transition and notification schedule for updates**.
+
+In MDM, use the following policies:
+
+- [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestarttransitionschedule)
+- [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-csp-update#engagedrestartsnoozeschedule)
+- [EngagedRestartDeadline](/windows/client-management/mdm/policy-csp-update#engagedrestartdeadline)
+
+## Group policy settings for restart
+
+In the group policy editor, the policy settings for restart behavior are in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
-| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Turn off auto-restart for updates during active hours | Yes | Use this policy to configure active hours, during which the device won't restart. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | Yes | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | Yes | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
-| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
+| No auto-restart with logged on users for scheduled automatic updates installations | Yes | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when you configure the policy to **Configure Automatic Updates** to schedule the installation. |
| Re-prompt for restart with scheduled installations | No | |
| Delay Restart for scheduled installations | No | |
| Reschedule Automatic Updates scheduled installations | No | |
-
->[!NOTE]
->You can only choose one path for restart behavior.
->If you set conflicting restart policies, the actual restart behavior may not be what you expected.
->When using RDP, only active RDP sessions are considered as logged on users.
-
+> [!NOTE]
+>
+> - You can only choose one path for restart behavior.
+> - If you set conflicting restart policies, the actual restart behavior may not be what you expected.
+> - When using RDP, only active RDP sessions are considered as signed-in users.
## Registry keys used to manage restart
-The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
+The following tables list registry values that correspond to the group policy settings for controlling restarts after updates in Windows 10.
-| Registry key | Key type | Value |
-| --- | --- | --- |
-| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
-| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
-| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours1: enable automatic restart after updates outside of active hours |
-
-**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
+### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate`
| Registry key | Key type | Value |
| --- | --- | --- |
-| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at a scheduled time |
-| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
-| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable don't reboot if users are logged on1: don't reboot after an update installation if a user is logged on**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
-| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour starts with 12 AM (0) and ends with 11 PM (23) |
+| `ActiveHoursEnd` | `REG_DWORD` | `0-23`: Set active hours to end at a specific hour. It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
+| `ActiveHoursStart` | `REG_DWORD` | `0-23`: Set active hours to start at a specific hour. It starts with 12 AM (`0`) and ends with 11 PM (`23`.) |
+| `SetActiveHours` | `REG_DWORD` | `0`: Disable automatic restart after updates outside of active hours. `1`: Enable automatic restart after updates outside of active hours. |
+
+### `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU`
+
+| Registry key | Key type | Value |
+| --- | --- | --- |
+| `AlwaysAutoRebootAtScheduledTime` | `REG_DWORD` | `0`: Disable automatic restart after update installation at the scheduled time. `1`: Enable automatic restart after update installation at a scheduled time. |
+| `AlwaysAutoRebootAtScheduledTimeMinutes` | `REG_DWORD` | `15-180`: Set automatic restart to occur after the specified number of minutes. |
+| `AUOptions` | `REG_DWORD` | `2`: Notify for download and notify for installation of updates. `3`: Automatically download and notify for installation of updates. `4`: Automatically download and schedule installation of updates. `5`: Allow the local administrator to configure these settings. **Note:** To configure restart behavior, set this value to `4`. |
+| `NoAutoRebootWithLoggedOnUsers` | `REG_DWORD` | `0`: If users are signed in, automatically restart ("disable don't reboot"). `1`: If a user is signed in, don't restart after an update installation. **Note:** If disabled (`0`), Automatic Updates notifies the user that the computer is scheduled to automatically restart in five minutes to complete the installation. |
+| `ScheduledInstallTime` | `REG_DWORD` | `0-23`: Schedule update installation time to a specific hour. It starts with 12 AM (`0`) and ends with 11 PM (`23`). |
There are three different registry combinations for controlling restart behavior:
-- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
-- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
+- To set active hours:
+ - `SetActiveHours` should be `1`.
+ - Then to define the time range, use `ActiveHoursStart` and `ActiveHoursEnd`.
+
+- To schedule a specific installation and restart time:
+ - `AUOptions` should be `4`.
+ - `ScheduledInstallTime` should specify the installation time.
+ - Set `AlwaysAutoRebootAtScheduledTime` to `1`.
+ - `AlwaysAutoRebootAtScheduledTimeMinutes` should specify the number of minutes to wait before restarting.
+
+- To delay restarting if a user is signed in:
+ - `AUOptions` should be `4`.
+ - Set `NoAutoRebootWithLoggedOnUsers` to `1`.
## More resources
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
-- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Manage Windows 10 and Windows 11 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure)
+- [Walkthrough: use group policy to configure Windows Update for Business](waas-wufb-group-policy.md)
+- [Manage Windows software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 0a90bb71ad..e574086aa8 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -37,7 +37,7 @@ With a current version, it's best to use the new policy introduced in June 2019
| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
|-|-|-|-|-|-|
-| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
+| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 3 | 2 | 3 |
When **Specify deadlines for automatic updates and restarts** is set:
@@ -60,7 +60,7 @@ The grace period for both quality and feature updates starts its countdown from
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 7 | 2 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 3 |
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md
index c38fa013ab..04291e8ef2 100644
--- a/windows/deployment/update/wufb-reports-do.md
+++ b/windows/deployment/update/wufb-reports-do.md
@@ -42,12 +42,12 @@ Windows Update for Business reports uses the following Delivery Optimization ter
- HTTP Only (0)
- Simple Mode (99)
- Bypass (100), deprecated in Windows 11
-- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded.
+- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache) out of the total amount of data downloaded.
- If bandwidth savings are <= 60%, a *Warning* icon is displayed
- When bandwidth savings are <10%, an *Error* icon is displayed.
- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface.
- **P2P Device Count**: The device count is the number of devices configured to use peering.
-- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
+- **Microsoft Connected Cache**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md).
- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types.
- **Total # of Devices**: The total number of devices with activity in last 28 days.
- **LAN Bytes**: Bytes delivered from LAN peers.
@@ -68,7 +68,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table
- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
-- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
+- % Connected Cache Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache)
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
**Bytes Calculations**:
@@ -88,7 +88,7 @@ The calculated values used in the Delivery Optimization report are listed below.
- Volume by P2P = BytesFromPeers + BytesFromGroupPeers
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
-- Volume by MCC = BytesFromCache
+- Volume by Connected Cache = BytesFromCache
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
- Volume by CDN = BytesFrom CDN
- [UCDOStatus](wufb-reports-schema-ucdostatus.md) table
@@ -150,7 +150,7 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount
### Delivery Optimization Supported Content Types
-There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/MCC support types.
+There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/Connected Cache support types.
| Content Category | Content Types Included |
| --- | --- |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index 834c5a0b29..54de3d5647 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -27,7 +27,7 @@ UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records acro
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
-| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
+| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index f6ff2a21b3..ede39f076e 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -1,7 +1,7 @@
---
title: UCDOStatus data schema
titleSuffix: Windows Update for Business reports
-description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and MCC bandwidth utilization.
+description: UCDOStatus schema for Windows Update for Business reports. UCDOStatus provides information, for a single device, on its DO and Microsoft Connected Cache bandwidth utilization.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference
@@ -27,7 +27,7 @@ UCDOStatus provides information, for a single device, on its bandwidth utilizati
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
-| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
+| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache. |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index 3d76c81910..cefc7b717e 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -180,8 +180,8 @@ The **Delivery Optimization** tab provides a summarized view of bandwidth effici
At the top of the report, tiles display the following information:
- Total bandwidth savings percentage
-- The percentage of the saved bandwidth broken down by peer-to-peer and MCC
-- Device counts showing percentages of bytes delivered between peer-to-peer and MCC
+- The percentage of the saved bandwidth broken down by peer-to-peer and Microsoft Connected Cache
+- Device counts showing percentages of bytes delivered between peer-to-peer and Connected Cache
- The breakdown of total downloaded GBs.
The Delivery Optimization tab is further divided into the following groups:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index b65c4701ea..fb561d216a 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -1,7 +1,7 @@
---
title: Device registration overview
description: This article provides an overview on how to register devices in Autopatch.
-ms.date: 09/16/2024
+ms.date: 10/30/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@@ -32,7 +32,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites. For more information, see [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md).
> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
index cd90f48781..3d2d33db5d 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
-ms.date: 09/16/2024
+ms.date: 10/30/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@@ -21,6 +21,9 @@ ms.collection:
Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
## Multi-phase feature update
Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
index 8e56b5f267..90528e17a2 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md
@@ -1,7 +1,7 @@
---
title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
-ms.date: 10/07/2024
+ms.date: 11/04/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: conceptual
@@ -67,6 +67,11 @@ In the following example:
:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
+> [!TIP]
+> For optimal end-user experience, the recommeded settings are 2-day Deadline and 3-day Grace Period for update deployments.
+
## Minimize user disruption due to updates
-Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached.
+Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached.
+
+Windows Autopatch doesn't modify the existing Windows Update notifications. If you wish to modify the end-user update notification experience, see [Use CSPs and MDMs to configure Windows Update for Business](/windows/deployment/update/waas-wufb-csp-mdm).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
index 942d898c05..656f94452c 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates overview
description: This article explains how Windows quality updates are managed
-ms.date: 09/16/2024
+ms.date: 10/30/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: conceptual
@@ -54,7 +54,7 @@ The service level objective for each of these states is calculated as:
> Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service.
> [!IMPORTANT]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Out of Band releases
@@ -62,11 +62,11 @@ The service level objective for each of these states is calculated as:
Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
-For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the set deferral dates.
+For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the specified deferral dates.
## Pause and resume a release
-The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
+The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.
@@ -81,10 +81,8 @@ If Windows Autopatch detects a significant issue with a release, we might decide
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
-1. In the **Windows updates** blade, select the **Quality updates** tab.
-1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause, or **Resume** from the dropdown menu.
-1. Optional. Enter the justification about why you're pausing or resuming the selected update.
-1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update.
+1. In the **Windows updates** blade, select the **Update rings** tab.
+1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause**, or **Resume** from the dropdown menu.
1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings.
1. Select **Pause or Resume deployment**.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 74379f93b0..5e7b3411e6 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/27/2024
+ms.date: 10/30/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@@ -135,12 +135,15 @@ For more information about feature entitlement, see [Features and capabilities](
The following Windows 10/11 editions, build version, and architecture are supported when [devices are registered with Windows Autopatch](../deploy/windows-autopatch-register-devices.md):
- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+- Windows 11 IoT Enterprise edition
- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+- Windows 10 IoT Enterprise edition
Windows Autopatch service supports Windows client devices on the **General Availability Channel**.
-> [!NOTE]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Configuration Manager co-management requirements
diff --git a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
index 561da483b6..a778ffc2fb 100644
--- a/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
+++ b/windows/security/application-security/application-control/app-control-for-business/appcontrol.md
@@ -4,7 +4,7 @@ description: Application Control restricts which applications users are allowed
ms.localizationpriority: medium
ms.collection:
- tier3
-ms.date: 09/11/2024
+ms.date: 10/25/2024
ms.topic: overview
---
@@ -30,9 +30,9 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
## App Control and Smart App Control
-Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on App Control. App control enables enterprise customers to create a policy that offers the same security and compatibility as Smart App Control with the capability to customize policies to run line-of-business (LOB) apps. To make it easier to implement policy, an [example policy](design/example-appcontrol-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** option that isn't supported for App Control enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example App Control base policy](design/create-appcontrol-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-app-control-base-policy).
-Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must either restart the device or use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first. To turn off Smart App Control across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` as shown in the following table. After you change the registry value, you must use [CiTool.exe -r](operations/citool-commands.md#refresh-the-app-control-policies-on-the-system) for the change to take effect.
| Value | Description |
|-------|-------------|
@@ -43,15 +43,6 @@ Smart App Control is only available on clean installation of Windows 11 version
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
-### Smart App Control Enforced Blocks
-
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-appcontrol.md), with a few exceptions for compatibility considerations. The following aren't blocked by Smart App Control:
-
-- Infdefaultinstall.exe
-- Microsoft.Build.dll
-- Microsoft.Build.Framework.dll
-- Wslhost.dll
-
[!INCLUDE [windows-defender-application-control-wdac](../../../../../includes/licensing/windows-defender-application-control-wdac.md)]
## Related articles
diff --git a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
index 8de7b6d981..2d47be74a6 100644
--- a/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
+++ b/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script.md
@@ -22,7 +22,7 @@ You should now have one or more App Control policies converted into binary form.
## Deploying policies for Windows 11 22H2 and above, and Windows Server 2025 and above
-You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your App Control policy binary file.
+You can use the inbox [CiTool](../operations/citool-commands.md) to deploy signed and unsigned policies on Windows 11 22H2 and Windows Server 2025 with the following commands. Be sure to replace `` in the following example with the actual path to your App Control policy binary file.
```powershell
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML)
@@ -82,7 +82,7 @@ Use WMI to deploy policies on all other versions of Windows and Windows Server.
## Deploying signed policies
-If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned App Control policies don't need to be present in the EFI partition.
+If you're using [signed App Control policies](use-signed-policies-to-protect-appcontrol-against-tampering.md), the policies must be deployed into your device's EFI partition.
1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
diff --git a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
index 8c81845b7b..68d64ea7fe 100644
--- a/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
+++ b/windows/security/application-security/application-control/user-account-control/settings-and-configuration.md
@@ -96,6 +96,7 @@ The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\Cur
| Run all administrators in Admin Approval Mode | `EnableLUA` | 0 = DisabledWindows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -172,6 +173,7 @@
"identity-protection/credential-guard/**/*.md": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -179,6 +181,7 @@
"identity-protection/smart-cards/**/*.md": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -186,6 +189,7 @@
"identity-protection/virtual-smart-cards/**/*.md": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -197,6 +201,7 @@
"operating-system-security/data-protection/**/*.md": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -204,6 +209,7 @@
"operating-system-security/data-protection/**/*.yml": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -224,6 +230,7 @@
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ Windows 11 ",
"✅ Windows 10 ",
+ "✅ Windows Server 2025 ",
"✅ Windows Server 2022 ",
"✅ Windows Server 2019 ",
"✅ Windows Server 2016 "
@@ -235,7 +242,6 @@
"book/*.md": "paoloma",
"identity-protection/access-control/*.md": "sulahiri",
"identity-protection/credential-guard/*.md": "zwhittington",
- "identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/smart-cards/*.md": "ardenw",
"identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda",
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 22b8f3245f..f89ec506b2 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -13,6 +13,9 @@ appliesto:
# Enable virtualization-based protection of code integrity
+> [!WARNING]
+> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
+
**Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
@@ -20,9 +23,6 @@ appliesto:
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
-> [!WARNING]
-> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
-
## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@@ -32,28 +32,28 @@ appliesto:
To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
-- [Windows Security settings](#windows-security)
-- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
-- [Group Policy](#enable-memory-integrity-using-group-policy)
-- [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
-- [Registry](#use-registry-keys-to-enable-memory-integrity)
+### [:::image type="icon" source="../images/icons/security-app.svg" border="false"::: **Windows Security**](#tab/security)
-### Windows Security
+### Enable memory integrity using Windows Security
**Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
+### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
### Enable memory integrity using Intune
Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
+### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
+
### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
1. Double-click **Turn on Virtualization Based Security**.
-1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
+1. Select **Enabled**. Under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
@@ -61,7 +61,9 @@ Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integri
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
-### Use registry keys to enable memory integrity
+### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
+
+### Enable memory integrity using registry
Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
@@ -85,74 +87,78 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
If you want to customize the preceding recommended settings, use the following registry keys.
-**To enable VBS only (no memory integrity)**
+- To enable VBS only (no memory integrity):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS and require Secure boot only (value 1)**
+- To enable VBS and require Secure boot only (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS with Secure Boot and DMA protection (value 3)**
+- To enable VBS with Secure Boot and DMA protection (value 3):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+ ```
-**To enable VBS without UEFI lock (value 0)**
+- To enable VBS without UEFI lock (value 0):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
+ ```
-**To enable VBS with UEFI lock (value 1)**
+- To enable VBS with UEFI lock (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
+ ```
-**To enable memory integrity**
+- To enable memory integrity:
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
+ ```
-**To enable memory integrity without UEFI lock (value 0)**
+- To enable memory integrity without UEFI lock (value 0):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
+ ```
-**To enable memory integrity with UEFI lock (value 1)**
+- To enable memory integrity with UEFI lock (value 1):
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
+ ```
-**To enable VBS (and memory integrity) in mandatory mode**
+- To enable VBS (and memory integrity) in mandatory mode:
-```cmd
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
-```
+ ```cmd
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+ ```
-The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
+ The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
-> [!IMPORTANT]
-> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
+ > [!IMPORTANT]
+ > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
-**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
-```cmd
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
-```
+- To gray out the memory integrity UI and display the message `This setting is managed by your administrator`:
-**To let memory integrity UI behave normally (Not grayed out)**
-```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
-```
+ ```cmd
+ reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
+ ```
+
+- To let memory integrity UI behave normally (Not grayed out):
+
+ ```cmd
+ reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
+ ```
+
+### [:::image type="icon" source="../images/icons/app-control.svg" border="false"::: **App Control**](#tab/appcontrol)
### Enable memory integrity using App Control for Business
@@ -165,6 +171,8 @@ You can use App Control policy to turn on memory integrity using any of the foll
> [!NOTE]
> If your App Control policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode.
+---
+
### Validate enabled VBS and memory integrity features
#### Use Win32_DeviceGuard WMI class
@@ -180,82 +188,98 @@ Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\D
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
-##### AvailableSecurityProperties
+- **InstanceIdentifier**: A string that is unique to a particular device and set by WMI.
-This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
+- **Version**: This field lists the version of this WMI class. The only valid value now is **1.0**.
-| Value | Description |
-|-------|---------------------------------------------------------|
-| **0** | If present, no relevant properties exist on the device. |
-| **1** | If present, hypervisor support is available. |
-| **2** | If present, Secure Boot is available. |
-| **3** | If present, DMA protection is available. |
-| **4** | If present, Secure Memory Overwrite is available. |
-| **5** | If present, NX protections are available. |
-| **6** | If present, SMM mitigations are available. |
-| **7** | If present, MBEC/GMET is available. |
-| **8** | If present, APIC virtualization is available. |
+- **AvailableSecurityProperties**: This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
-##### InstanceIdentifier
+ | Value | Description |
+ |-------|---------------------------------------------------------|
+ | **0** | If present, no relevant properties exist on the device. |
+ | **1** | If present, hypervisor support is available. |
+ | **2** | If present, Secure Boot is available. |
+ | **3** | If present, DMA protection is available. |
+ | **4** | If present, Secure Memory Overwrite is available. |
+ | **5** | If present, NX protections are available. |
+ | **6** | If present, SMM mitigations are available. |
+ | **7** | If present, MBEC/GMET is available. |
+ | **8** | If present, APIC virtualization is available. |
-A string that is unique to a particular device and set by WMI.
+- **CodeIntegrityPolicyEnforcementStatus**: This field indicates the code integrity policy enforcement status.
-##### RequiredSecurityProperties
+ | Value | Description |
+ |-------|-------------|
+ | **0** | Off |
+ | **1** | Audit. |
+ | **2** | Enforced. |
-This field describes the required security properties to enable VBS.
+- **RequiredSecurityProperties**: This field describes the required security properties to enable VBS.
-| Value | Description |
-|-------|------------------------------------------------|
-| **0** | Nothing is required. |
-| **1** | If present, hypervisor support is needed. |
-| **2** | If present, Secure Boot is needed. |
-| **3** | If present, DMA protection is needed. |
-| **4** | If present, Secure Memory Overwrite is needed. |
-| **5** | If present, NX protections are needed. |
-| **6** | If present, SMM mitigations are needed. |
-| **7** | If present, MBEC/GMET is needed. |
+ | Value | Description |
+ |-------|------------------------------------------------|
+ | **0** | Nothing is required. |
+ | **1** | If present, hypervisor support is needed. |
+ | **2** | If present, Secure Boot is needed. |
+ | **3** | If present, DMA protection is needed. |
+ | **4** | If present, Secure Memory Overwrite is needed. |
+ | **5** | If present, NX protections are needed. |
+ | **6** | If present, SMM mitigations are needed. |
+ | **7** | If present, MBEC/GMET is needed. |
-##### SecurityServicesConfigured
+- **SecurityServicesConfigured**: This field indicates whether Credential Guard or memory integrity is configured.
-This field indicates whether Credential Guard or memory integrity is configured.
+ | Value | Description |
+ |-------|-------------------------------------------------------|
+ | **0** | No services are configured. |
+ | **1** | If present, Credential Guard is configured. |
+ | **2** | If present, memory integrity is configured. |
+ | **3** | If present, System Guard Secure Launch is configured. |
+ | **4** | If present, SMM Firmware Measurement is configured. |
+ | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is configured. |
+ | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode. |
+ | **7** | If present, Hypervisor-Enforced Paging Translation is configured. |
-| Value | Description |
-|-------|-------------------------------------------------------|
-| **0** | No services are configured. |
-| **1** | If present, Credential Guard is configured. |
-| **2** | If present, memory integrity is configured. |
-| **3** | If present, System Guard Secure Launch is configured. |
-| **4** | If present, SMM Firmware Measurement is configured. |
+- **SecurityServicesRunning**: This field indicates whether Credential Guard or memory integrity is running.
-##### SecurityServicesRunning
+ | Value | Description |
+ |-------|----------------------------------------------------|
+ | **0** | No services running. |
+ | **1** | If present, Credential Guard is running. |
+ | **2** | If present, memory integrity is running. |
+ | **3** | If present, System Guard Secure Launch is running. |
+ | **4** | If present, SMM Firmware Measurement is running. |
+ | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is running. |
+ | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is running in Audit mode. |
+ | **7** | If present, Hypervisor-Enforced Paging Translation is running. |
-This field indicates whether Credential Guard or memory integrity is running.
+- **SmmIsolationLevel**: This field indicates the SMM isolation level.
-| Value | Description |
-|-------|----------------------------------------------------|
-| **0** | No services running. |
-| **1** | If present, Credential Guard is running. |
-| **2** | If present, memory integrity is running. |
-| **3** | If present, System Guard Secure Launch is running. |
-| **4** | If present, SMM Firmware Measurement is running. |
+- **UsermodeCodeIntegrityPolicyEnforcementStatus**: This field indicates the user mode code integrity policy enforcement status.
-##### Version
+ | Value | Description |
+ |-------|-------------|
+ | **0** | Off |
+ | **1** | Audit. |
+ | **2** | Enforced. |
-This field lists the version of this WMI class. The only valid value now is **1.0**.
+- **VirtualizationBasedSecurityStatus**: This field indicates whether VBS is enabled and running.
-##### VirtualizationBasedSecurityStatus
+ | Value | Description |
+ |-------|---------------------------------|
+ | **0** | VBS isn't enabled. |
+ | **1** | VBS is enabled but not running. |
+ | **2** | VBS is enabled and running. |
-This field indicates whether VBS is enabled and running.
+- **VirtualMachineIsolation**: This field indicates whether virtual machine isolation is enabled.
-| Value | Description |
-|-------|---------------------------------|
-| **0** | VBS isn't enabled. |
-| **1** | VBS is enabled but not running. |
-| **2** | VBS is enabled and running. |
+- **VirtualMachineIsolationProperties**: This field indicates the set of virtual machine isolation properties that are available.
-##### PSComputerName
-
-This field lists the computer name. All valid values for computer name.
+ | Value | Description |
+ |-------|-------------------------------|
+ | **1** | AMD SEV-SNP |
+ | **2** | Virtualization-based Security |
+ | **3** | Intel TDX |
#### Use msinfo32.exe
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 20731a876a..12fe65bda4 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -6,6 +6,7 @@ ms.topic: overview
appliesto:
- ✅ Windows 11
- ✅ Windows 10
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 70dbff7388..102e723645 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -6,6 +6,7 @@ ms.topic: concept-article
appliesto:
- ✅ Windows 11
- ✅ Windows 10
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
@@ -230,27 +231,27 @@ The following table shows the Group Policy and registry settings that are used t
1. In the details pane, right-click <**gpo\_name**>, and > **Edit**
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
- - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
- - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
- - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
+ - Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
+ - Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
+ - Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
- - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
- - Right-click **Registry**, and > **New** > **Registry Item**
- - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
- - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
- - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
- - In the **Value name** area, type `LocalAccountTokenFilterPolicy`
- - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
- - In the **Value data** box, ensure that the value is set to **0**
- - Verify this configuration, and > **OK**
+ - Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
+ - Right-click **Registry**, and > **New** > **Registry Item**
+ - In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
+ - Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
+ - Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
+ - In the **Value name** area, type `LocalAccountTokenFilterPolicy`
+ - In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
+ - In the **Value data** box, ensure that the value is set to **0**
+ - Verify this configuration, and > **OK**
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
- - Navigate to the `*Forest*\\*Domain*\*OU*` path
- - Right-click the **Workstations > Link an existing GPO**
- - Select the GPO that you created, and > **OK**
+ - Navigate to the `*Forest*\\*Domain*\*OU*` path
+ - Right-click the **Workstations > Link an existing GPO**
+ - Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
@@ -291,9 +292,9 @@ The following table shows the Group Policy settings that are used to deny networ
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
1. Link the GPO to the first **Workstations** OU as follows:
- - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
- - Right-click the **Workstations** OU, and > **Link an existing GPO**
- - Select the GPO that you created, and > **OK**
+ - Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
+ - Right-click the **Workstations** OU, and > **Link an existing GPO**
+ - Select the GPO that you created, and > **OK**
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index b965f14e38..192b60aca0 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -11,9 +11,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
## Default enablement
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
-Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
+Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values overwrite the default enablement state after a reboot.
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 71298d9a5b..e4531d1f84 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -11,13 +11,11 @@ Microsoft recommends that in addition to deploying Credential Guard, organizatio
## Upgrade considerations
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
-Upgrades to Windows 11, version 22H2, and Windows Server 2025 (preview) have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
+Upgrades to Windows 11, version 22H2, and Windows Server 2025 have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
## Wi-fi and VPN considerations
@@ -120,25 +118,23 @@ Credential Guard blocks certain authentication capabilities. Applications that r
This article describes known issues when Credential Guard is enabled.
-### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
+### Live migration with Hyper-V breaks when upgrading to Windows Server 2025
-[!INCLUDE [windows-server-2025-preview](../../includes/windows-server-2025-preview.md)]
-
-Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
+Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025. Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
||Description|
|-|-|
-| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
+| **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't domain controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
| **Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. \UserSid\Policies`\Device\Policies`\SOFTWARE\Policies\Microsoft\PassportForWork`Windows 11
- ✅ Windows 10
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 583823e56f..27870ca1e3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,7 +2,7 @@
title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card and Remote Desktop Services
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index bd640b89fd..25f9e9f1ff 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Architecture
+title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.topic: reference-architecture
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Architecture
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 770de019ca..37bd03c462 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,8 +1,8 @@
---
-title: Certificate propagation service
+title: Certificate propagation service
description: Learn about the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Certificate propagation service
@@ -19,7 +19,7 @@ The following figure shows the flow of the certificate propagation service. The
1. The arrow labeled **2** indicates the certification to the reader
1. The arrow labeled **3** indicates the access to the certificate store during the client session
-
+ 
1. A signed-in user inserts a smart card
1. CertPropSvc is notified that a smart card was inserted
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 5b33c9f79c..b8d0bf055f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,8 +1,8 @@
---
-title: Certificate Requirements and Enumeration
+title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Certificate Requirements and Enumeration
@@ -71,7 +71,8 @@ Following are the steps that are performed during a smart card sign-in:
1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser
1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
- If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
+
If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index ce951db2a1..89fb2e4119 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Troubleshooting
+title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.topic: troubleshooting
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Troubleshooting
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 6aef6b3288..07f326ba4f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -1,8 +1,8 @@
---
-title: Smart card events
+title: Smart card events
description: Learn about smart card deployment and development events.
ms.topic: troubleshooting
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart card events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 79e5f674c9..b98266524f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Group Policy and Registry Settings
+title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.topic: reference
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Group Policy and Registry Settings
@@ -194,7 +194,7 @@ You can use this policy setting to configure which valid sign-in certificates ar
> [!NOTE]
> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
>
-> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
+> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 6f23ce09a9..efe457fa47 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,7 +2,7 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# How Smart Card Sign-in Works in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 65933d65a1..a675b89bb4 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Removal Policy Service
+title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Removal Policy Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index ad2cd71fb9..b7d7ee8d10 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,8 +1,8 @@
---
-title: Smart Cards for Windows Service
+title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.topic: concept-article
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Cards for Windows Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index f703ec1f9c..574d204ddd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Tools and Settings
+title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.topic: get-started
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Tools and Settings
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index d615e2079c..18b8555a16 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,8 +1,8 @@
---
-title: Smart Card Technical Reference
+title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.topic: overview
-ms.date: 01/16/2024
+ms.date: 10/29/2024
---
# Smart Card Technical Reference
diff --git a/windows/security/images/icons/app-control.svg b/windows/security/images/icons/app-control.svg
new file mode 100644
index 0000000000..95b5dd5100
--- /dev/null
+++ b/windows/security/images/icons/app-control.svg
@@ -0,0 +1,19 @@
+
+
+
+
+
+
diff --git a/windows/security/images/icons/security-app.svg b/windows/security/images/icons/security-app.svg
new file mode 100644
index 0000000000..8095201e57
--- /dev/null
+++ b/windows/security/images/icons/security-app.svg
@@ -0,0 +1,24 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/includes/mdag-edge-deprecation-notice.md b/windows/security/includes/mdag-edge-deprecation-notice.md
index 69454f1d18..6836d1befd 100644
--- a/windows/security/includes/mdag-edge-deprecation-notice.md
+++ b/windows/security/includes/mdag-edge-deprecation-notice.md
@@ -6,5 +6,6 @@ ms.topic: include
---
> [!NOTE]
-> - Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). To learn more about Microsoft Edge security capabilities, see [Microsoft Edge For Business Security](/deployedge/ms-edge-security-for-business).
+> - Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). To learn more about Microsoft Edge security capabilities, see [Microsoft Edge For Business Security](/deployedge/ms-edge-security-for-business).
+> - Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.
> - Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding browser extensions and associated Windows Store app are no longer available. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard).
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index 15db660036..80b74ed970 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -4,6 +4,7 @@ description: Learn how to protect cluster shared volumes (CSV) and storage area
ms.topic: how-to
ms.date: 06/18/2024
appliesto:
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
index 8cfee0617e..b0ff6c39b5 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
@@ -17,6 +17,8 @@ This policy setting allows you to control how BitLocker-protected operating syst
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
+
| | Path |
|--|--|
| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
index a1b63ed90b..1e9c124e9c 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -4,6 +4,7 @@ description: Learn how to install BitLocker on Windows Server.
ms.topic: how-to
ms.date: 06/18/2024
appliesto:
+- ✅ Windows Server 2025
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index 739b778e25..af7736d41e 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -1,7 +1,7 @@
---
title: Windows FIPS 140 validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.date: 2/1/2024
+ms.date: 11/13/2024
ms.topic: reference
---
@@ -21,6 +21,8 @@ The Windows client releases listed below include cryptographic modules that have
#### Windows 10 releases
+- [Windows 10, version 21H1 (May 2021 Update)](validations/fips-140-windows10.md#windows-10-version-21h1-may-2021-update)
+- [Windows 10, version 20H2 (October 2020 Update)](validations/fips-140-windows10.md#windows-10-version-20h2-october-2020-update)
- [Windows 10, version 2004 (May 2020 Update)](validations/fips-140-windows10.md#windows-10-version-2004-may-2020-update)
- [Windows 10, version 1909 (November 2019 Update)](validations/fips-140-windows10.md#windows-10-version-1909-november-2019-update)
- [Windows 10, version 1903 (May 2019 Update)](validations/fips-140-windows10.md#windows-10-version-1903-may-2019-update)
@@ -60,16 +62,18 @@ The Windows client releases listed below include cryptographic modules that have
The Windows Server releases listed below include cryptographic modules that have completed FIPS 140 validation. Click on the release for details, including the CMVP certificate, Security Policy document, and algorithm scope for each module. When the CMVP certificate validation label includes the note *When operated in FIPS mode*, specific configuration and security rules outlined in the Security Policy must be followed.
-#### Windows Server 2019 and 2016 releases
+#### Windows Server 2022, 2019, and 2016 releases
+- [Windows Server 2022](validations/fips-140-windows-server-2022.md#windows-server-2022)
- [Windows Server 2019](validations/fips-140-windows-server-2019.md#windows-server-2019)
- [Windows Server 2016](validations/fips-140-windows-server-2016.md#windows-server-2016)
#### Windows Server semi-annual releases
-- [Windows Server, version 2004](validations/fips-140-windows-server-semi-annual.md#windows-server-version-2004-may-2020-update)
-- [Windows Server, version 1909](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1909-november-2019-update)
-- [Windows Server, version 1903](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1903-may-2019-update)
+- [Windows Server, version 20H2](validations/fips-140-windows-server-semi-annual.md#windows-server-version-20h2)
+- [Windows Server, version 2004](validations/fips-140-windows-server-semi-annual.md#windows-server-version-2004)
+- [Windows Server, version 1909](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1909)
+- [Windows Server, version 1903](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1903)
- [Windows Server, version 1809](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1809)
- [Windows Server, version 1803](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1803)
- [Windows Server, version 1709](validations/fips-140-windows-server-semi-annual.md#windows-server-version-1709)
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md b/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md
new file mode 100644
index 0000000000..828e85d5b7
--- /dev/null
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows-server-2022.md
@@ -0,0 +1,33 @@
+---
+title: FIPS 140 validated modules for Windows Server 2022
+description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server 2022.
+ms.date: 11/13/2024
+ms.topic: reference
+---
+
+# FIPS 140 validated modules in Windows Server 2022
+
+The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server 2022, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, see its linked Security Policy document or module certificate.
+
+## Windows Server 2022
+
+Build: 10.0.20348. Validated Editions: Standard, Datacenter, and Datacenter: Azure.
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+---
+
+
+
+
+
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
+
+
+
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md b/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
index d1d1724b36..5ca0829279 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows Server Semi-Annual Releases
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server semi-annual releases.
-ms.date: 2/1/2024
+ms.date: 11/13/2024
ms.topic: reference
---
@@ -9,7 +9,16 @@ ms.topic: reference
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server semi-annual releases, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
-## Windows Server, version 2004 (May 2020 Update)
+## Windows Server, version 20H2
+
+Build: 10.0.19042. Validated Editions: Standard Core, Datacenter Core
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+## Windows Server, version 2004
Build: 10.0.19041. Validated Editions: Standard Core, Datacenter Core
@@ -24,7 +33,7 @@ Build: 10.0.19041. Validated Editions: Standard Core, Datacenter Core
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
-## Windows Server, version 1909 (November 2019 Update)
+## Windows Server, version 1909
Build: 10.0.18363. Validated Editions: Standard Core, Datacenter Core
@@ -39,7 +48,7 @@ Build: 10.0.18363. Validated Editions: Standard Core, Datacenter Core
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
-## Windows Server, version 1903 (May 2019 Update)
+## Windows Server, version 1903
Build: 10.0.18362. Validated Editions: Standard Core, Datacenter Core
@@ -123,6 +132,8 @@ Build: 10.0.16299. Validated Editions: Standard Core, Datacenter Core
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
@@ -146,3 +157,5 @@ Build: 10.0.16299. Validated Editions: Standard Core, Datacenter Core
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows10.md b/windows/security/security-foundations/certification/validations/fips-140-windows10.md
index e555337cb5..9bf64e0084 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows10.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows10.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows 10
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10.
-ms.date: 2/1/2024
+ms.date: 11/13/2024
ms.topic: reference
---
@@ -9,6 +9,24 @@ ms.topic: reference
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows 10, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
+## Windows 10, version 21H1 (May 2021 Update)
+
+Build: 10.0.19043. Validated Editions: Pro, Enterprise
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
+## Windows 10, version 20H2 (October 2020 Update)
+
+Build: 10.0.19042. Validated Editions: Pro, Enterprise
+
+|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
+|--- |--- |--- |
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+
## Windows 10, version 2004 (May 2020 Update)
Build: 10.0.19041. Validated Editions: Home, Pro, Enterprise, Education
@@ -257,6 +275,8 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
@@ -320,3 +340,5 @@ Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, M
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/security/security-foundations/certification/validations/fips-140-windows11.md b/windows/security/security-foundations/certification/validations/fips-140-windows11.md
index bf551c22b5..f9b596134b 100644
--- a/windows/security/security-foundations/certification/validations/fips-140-windows11.md
+++ b/windows/security/security-foundations/certification/validations/fips-140-windows11.md
@@ -1,7 +1,7 @@
---
title: FIPS 140 validated modules for Windows 11
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 11.
-ms.date: 2/1/2024
+ms.date: 11/12/2024
ms.topic: reference
---
@@ -16,6 +16,8 @@ Build: 10.0.22000. Validated Edition: Windows 11
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[Boot Manager][sp-4546]|[#4546][certificate-4546]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
+|[Cryptographic Primitives Library][sp-4825]|[#4825][certificate-4825]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
+|[Kernel Mode Cryptographic Primitives Library][sp-4766]|[#4766][certificate-4766]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, ENT (P), HMAC, KAS, KAS-SSC, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES|
---
@@ -24,7 +26,11 @@ Build: 10.0.22000. Validated Edition: Windows 11
[certificate-4546]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4546
+[certificate-4766]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4766
+[certificate-4825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4825
[sp-4546]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4546.pdf
+[sp-4766]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4766.pdf
+[sp-4825]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4825.pdf
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index a12c5b5eb4..99c9f31ea9 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -57,7 +57,7 @@ The features in this article are no longer being actively developed, and might b
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
-| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). | December 2023 |
+| Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). To learn more about Edge for Business security capabilities, see [Microsoft Edge security for your business](/deployedge/ms-edge-security-for-business). **[Update - October 2024]**: Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is no longer available.