deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-3

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-05-10 07:30:20 -04:00 committed by GitHub
commit 6d2d38a895
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 236 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/deployment/do/TOC.yml
View File

@ -27,10 +27,12 @@
href: delivery-optimization-test.md
- name: Microsoft Connected Cache
items:
- name: Microsoft Connected Cache overview
- name: What is Microsoft Connected Cache?
href: waas-microsoft-connected-cache.md
- name: MCC for Enterprise and Education
items:
- name: MCC for Enterprise and Education Overview
href: mcc-ent-edu-overview.md
- name: Requirements
href: mcc-enterprise-prerequisites.md
- name: Deploy Microsoft Connected Cache
@ -41,6 +43,8 @@
href: mcc-enterprise-appendix.md
- name: MCC for ISPs
items:
- name: MCC for ISPs Overview
href: mcc-isp-overview.md
- name: How-to guides
items:
- name: Operator sign up and service onboarding

BIN
windows/deployment/do/images/mcc-isp-bgp-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deployment/do/images/mcc-isp-bgp-route.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.2 KiB

72
windows/deployment/do/mcc-ent-edu-overview.md Normal file
View File

@ -0,0 +1,72 @@
---
title: MCC for Enterprise and Education Overview
manager: aaroncz
description: Overview of Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.topic: article
ms.date: 05/09/2023
ms.technology: itpro-updates
ms.collection: tier3
---
# Microsoft Connected Cache for Enterprise and Education Overview
**Applies to**
- Windows 10
- Windows 11
> [!IMPORTANT]
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For information about Microsoft Connected Cache in Configuration Manager (generally available, starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
## Supported scenarios
Connected Cache (early preview) supports the following scenarios:
- Pre-provisioning of devices using Windows Autopilot
- Cloud-only devices, such as Intune-enrolled devices
## Supported content types
When clients download cloud-managed content, they use Delivery Optimization from the cache server installed on a Windows server or VM. Cloud-managed content includes the following types:
- Windows Update for Business: Windows feature and quality updates
- Office Click-to-Run apps: Microsoft 365 Apps and updates
- Client apps: Microsoft Store apps and updates
- Endpoint protection: Windows Defender definition updates
For the full list of content endpoints that Microsoft Connected Cache for Enterprise and Education supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
## How it works
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It's built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC is a Linux IoT Edge module running on the Windows Host OS.
1. The Azure Management Portal is used to create MCC nodes.
1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
1. Microsoft end-user devices make range requests for content from the MCC node.
1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will now come from cache.
1. If the MCC node is unavailable, the client pulls content from CDN to ensure uninterrupted service for your subscribers.
The following diagram displays an overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
## IoT Edge
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
1. Ensures that MCC is always running.
1. Reports MCC health and usage to the cloud for remote monitoring.
For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).

1
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -20,6 +20,7 @@ ms.collection: tier3
> [!NOTE]
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
## Enterprise requirements for MCC
1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.

26
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: nidos
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
ms.date: 05/09/2023
ms.technology: itpro-updates
ms.collection: tier3
---
@ -18,7 +18,7 @@ ms.collection: tier3
- Windows 10
- Windows 11
This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server.
This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node requires downloading an installer script that will be run on your cache server.
> [!IMPORTANT]
> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service.
@ -37,7 +37,7 @@ During the configuration of your cache node, there are many fields for you to co
### Client routing
Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node.
Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you're able to route your clients to your cache node.
Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal.
@ -53,6 +53,23 @@ You can manually upload a list of your CIDR blocks in Azure portal to enable man
BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal.
Microsoft Connected Cache includes Bird BGP, which enables the cache node to:
- Establish iBGP peering sessions with routers, route servers, or route collectors within operator networks
- Act as a route collector
The operator starts the iBGP peering session from the Microsoft Connected Cache side using the Azure management portal and then starts the session with the Microsoft Connected Cache node from the router.
In the example configuration below:
- The operator ASN is 65100
- The ASN of the Microsoft Connected Cache cache node is 65100 and the IP address is 192.168.8.99
- iBGP peering sessions are established from the portal for ASNs 65100, 65200, and 65300.
:::image type="content" source="images/mcc-isp-bgp-route.png" alt-text="Screenshot of a table entitled BGP route information showing how each ASN corresponds to a specific IP address." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
:::image type="content" source="images/mcc-isp-bgp-diagram.png" alt-text="A diagram that shows the relationship between the cache node and other ASNs/routers when using BGP. BGP routing allows the cache node to route to other network providers with different ASNs." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
To set up and enable BGP routing for your cache node, follow the steps below:
1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision.
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
@ -101,6 +118,9 @@ There are five IDs that the device provisioning script takes as input in order t
#### Provision your server
> [!IMPORTANT]
> Have you correctly mounted your disk? Your MCC will not be successfully installed without this important step. Before provisioning your server, ensure your disk is correctly mounted by following the instructions here: [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server.

2
windows/deployment/do/mcc-isp-faq.yml
View File

@ -85,6 +85,8 @@ sections:
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
- question: I noticed I can set up BGP for routing. How does BGP routing work for Microsoft Connected Cache?
answer: BGP routing can be set up as an automatic method of routing traffic. To learn more about how BGP is used with Microsoft Connected Cache, see [BGP Routing](mcc-isp-create-provision-deploy.md#bgp-routing).
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?

40
windows/deployment/do/mcc-isp-overview.md Normal file
View File

@ -0,0 +1,40 @@
---
title: MCC for ISPs Overview
manager: aaroncz
description: Overview for Microsoft Connected Cache for ISPs
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
ms.topic: article
ms.date: 05/09/2023
ms.technology: itpro-updates
ms.collection: tier3
---
# Microsoft Connected Cache for ISPs Overview
**Applies to**
- Windows 10
- Windows 11
Microsoft Connected Cache (MCC) for Internet Service Providers (preview) is a software-only caching solution that delivers Microsoft content. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Supported scenarios
Microsoft Connected Cache (preview) supports the following scenarios:
- Internet service provider that provides content downloads for end customers
- Network service providers that provide transit for other service providers
## Supported content
Microsoft Connected Cache uses Delivery Optimization as the backbone for Microsoft content delivery. Microsoft Connected Cache caches the following types:
- Windows Update for Business: Windows feature and quality updates
- Office Click-to-Run apps: Microsoft 365 Apps and updates
- Client apps: Microsoft Store apps and updates
- Endpoint protection: Windows Defender definition updates
- Xbox: Xbox Game Pass (PC only)
For the full list of content endpoints that Microsoft Connected Cache for ISPs supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).

2
windows/deployment/do/mcc-isp-signup.md
View File

@ -21,7 +21,7 @@ ms.collection: tier3
This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview).
> [!NOTE]
> Microsoft Connected Cache is now in public review. Instead of submitting a survey, you can directly onboard by following the instructions in this article.
> Microsoft Connected Cache is now in public preview. Instead of submitting a survey, you can directly onboard by following the instructions in this article.
## Prerequisites

43
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -8,11 +8,11 @@ ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 05/09/2023
ms.collection: tier3
---
# Microsoft Connected Cache overview
# What is Microsoft Connected Cache?
**Applies to**
@ -31,47 +31,20 @@ Both products are created and managed in the cloud portal.
## Microsoft Connected Cache for ISPs (preview)
> [!NOTE]
> Microsoft Connected Cache for Internet Service Providers is now in public preview. Instead of submitting a survey, you can directly onboard by following the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article.
> Microsoft Connected Cache for Internet Service Providers is now in public preview. To onboard, follow the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article.
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md).
## Microsoft Connected Cache for Enterprise and Education (early preview)
> [!NOTE]
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. Its built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.
## IoT Edge
Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
1. Ensures that MCC is always running.
1. Reports MCC health and usage to the cloud for remote monitoring.
To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below.
For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
## How MCC Works
1. The Azure Management Portal is used to create MCC nodes.
1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
1. Microsoft end-user devices make range requests for content from the MCC node.
1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
1. Subsequent requests from end-user devices for content will now come from cache.
1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
The following diagram displays and overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a standalone cache for customers moving towards modern management and away from Configuration Manager distribution points. For Microsoft Connected Cache in Configuration Manager (generally available starting Configuration Manager version 2111), see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache)
## Next steps
- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md)
- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md)
- [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md)
- [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md)

2
windows/deployment/update/WIP4Biz-intro.md
View File

@ -44,7 +44,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. |
|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)<br> - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications<br> - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. |
|Feedback | - This helps us make adjustments to features as quickly as possible.<br> - Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organizations domain.)<br> - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) |
|Feedback | - This helps us make adjustments to features as quickly as possible.<br> - Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organizations domain.)<br> - [Learn how to provide effective feedback in the Feedback Hub](/windows-insider/feedback) |
## Validate Insider Preview builds
Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits:

2
windows/deployment/update/eval-infra-tools.md
View File

@ -45,7 +45,7 @@ Keep security baselines current to help ensure that your environment is secure a
There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591).
- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.

36
windows/deployment/update/media-dynamic-update.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 05/09/2023
ms.reviewer: stevedia
---
@ -77,6 +77,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add Safe OS Dynamic Update | 6 | | |
|Add Setup Dynamic Update | | | | 26
|Add setup.exe from WinPE | | | | 27
|Add boot manager from WinPE | | | | 28
|Add latest cumulative update | | 15 | 21 |
|Clean up the image | 7 | 16 | 22 |
|Add Optional Components | | | 23 |
@ -300,7 +301,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@ -416,9 +417,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Write-Output "$(Get-TS): Performing image cleanup on WinPE"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
if ($IMAGE.ImageIndex -eq "2") {
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
}
# Dismount
@ -532,7 +539,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe using the previously saved version from WinPE.
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
```powershell
#
@ -544,8 +551,29 @@ Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
Foreach ($File in $MEDIA_NEW_FILES){
if (($File.Name -ieq "bootmgfw.efi") -or `
($File.Name -ieq "bootx64.efi") -or `
($File.Name -ieq "bootia32.efi") -or `
($File.Name -ieq "bootaa64.efi"))
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
}
```
### Finish up

6
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -48,10 +48,10 @@ The General Availability Channel is the default servicing channel for all Window
To get started with the Windows Insider Program for Business, follows these steps:
1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/).
2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
2. Follow the prompts to register your tenant.</br>**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.
3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
4. For Windows 10, version 1709 or later, set policies to manage preview builds and their delivery:
4. For Windows devices, set policies to manage preview builds and their delivery:
The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*

1
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -22,7 +22,6 @@ ms.date: 10/28/2022
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page.
For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf).
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.

2
windows/deployment/volume-activation/volume-activation-windows-10.md
View File

@ -27,7 +27,7 @@ ms.technology: itpro-fundamentals
> [!TIP]
> Are you looking for volume licensing information?
>
> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://www.microsoft.com/download/details.aspx?id=11091)
> [!TIP]
> Are you looking for information on retail activation?

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -67,7 +67,7 @@ To configure Windows Hello for Business using an account protection policy:
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available.
1. Under **Enable to certificate for on-premises resources**, select **Not configured**
1. Select **Next**.
1. Optionally, add **scope tags** and select **Next**.
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
@ -138,7 +138,7 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group
---
> [!IMPORTANT]
> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**.
> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**.
## Provision Windows Hello for Business

60
windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
View File

@ -13,7 +13,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 03/24/2023
ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
---
@ -62,35 +62,35 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|---|----------|
| 0 | Successfully verified signature |
| 1 | File has an invalid hash |
| 2 | File contains shared writable sections |
| 3 | File isn't signed|
| 4 | Revoked signature |
| 5 | Expired signature |
| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy |
| 7 | Invalid root certificate |
| 8 | Signature was unable to be validated; generic error |
| 9 | Signing time not trusted |
| 10 | The file must be signed using page hashes for this scenario |
| 11 | Page hash mismatch |
| 12 | Not valid for a PPL (Protected Process Light) |
| 13 | Not valid for a PP (Protected Process) |
| 14 | The signature is missing the required ARM processor EKU |
| 15 | Failed WHQL check |
| 16 | Default policy signing level not met |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI |
| 19 | Binary is revoked based on its file hash |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
| 21 | Failed to pass Windows Defender Application Control policy |
| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a non-trustlet binary into a trustlet |
| 23 | Invalid image hash |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
| 25 | Anti-cheat policy violation |
| 26 | Explicitly denied by WADC policy |
| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
| 0 | Successfully verified signature. |
| 1 | File has an invalid hash. |
| 2 | File contains shared writable sections. |
| 3 | File isn't signed. |
| 4 | Revoked signature. |
| 5 | Expired signature. |
| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy. |
| 7 | Invalid root certificate. |
| 8 | Signature was unable to be validated; generic error. |
| 9 | Signing time not trusted. |
| 10 | The file must be signed using page hashes for this scenario. |
| 11 | Page hash mismatch. |
| 12 | Not valid for a PPL (Protected Process Light). |
| 13 | Not valid for a PP (Protected Process). |
| 14 | The signature is missing the required ARM processor EKU. |
| 15 | Failed WHQL check. |
| 16 | Default policy signing level not met. |
| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs. |
| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI. |
| 19 | Binary is revoked based on its file hash. |
| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy. |
| 21 | Failed to pass Windows Defender Application Control policy. |
| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
| 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. |
| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. |
| 25 | Anti-cheat policy violation. |
| 26 | Explicitly denied by WADC policy. |
| 27 | The signing chain appears to be tampered/invalid. |
| 28 | Resource page hash mismatch. |
## Policy activation event Options

10
windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
View File

@ -9,7 +9,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 04/04/2023
ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@ -51,7 +51,7 @@ When the WDAC engine evaluates files against the active set of policies on the d
1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
2. Explicit allow rules - if any explicit allow rul exists for the file, it's allowed by the policy.
2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
3. WDAC then checks for the [Managed Installer extended attribute (EA)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer) or the [Intelligent Security Graph (ISG) EA](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) on the file. If either EA exists and the policy enables the corresponding option, then the file is allowed.
@ -71,7 +71,11 @@ When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when
### .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window.
### Signatures using elliptical curve cryptography (ECC) aren't supported
WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule

11
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -13,7 +13,7 @@ author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
ms.date: 04/05/2023
ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
---
@ -48,7 +48,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **1 Enabled:Boot Menu Protection** | This option isn't currently supported. | No |
| **2 Required:WHQL** | By default, kernel drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to run. Enabling this rule requires that every driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not pre-release Windows builds. | No |
| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
@ -72,6 +72,9 @@ File rule levels allow administrators to specify the level at which they want to
Each file rule level has advantages and disadvantages. Use Table 2 to select the appropriate protection level for your available administrative resources and WDAC deployment scenario.
> [!NOTE]
> WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. Files can be allowed instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
### Table 2. Windows Defender Application Control policy - file rule levels
| Rule level | Description |
@ -82,7 +85,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
@ -175,7 +178,7 @@ The Authenticode/PE image hash can be calculated for digitally signed and unsign
The PowerShell cmdlet produces an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, WDAC selects which hashes are calculated based on how the file is signed and the scenario in which the file is used. For example, if the file is page-hash signed, WDAC validates each page of the file and avoids loading the entire file in memory to calculate the full sha256 authenticode hash.
In the cmdlets, rather than try to predict which hash will be used, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already.
In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already.
### Why does scan create eight hash rules for certain XML files?