deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-28 08:43:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into dh-servicing-sandbox

Browse Source
This commit is contained in:
Dani Halfin
2017-02-22 14:28:19 -08:00
parent 8d17f3496b 53ae5a0ea1
commit 6ef65f4239
29 changed files with 121 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
View File

@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi
![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)<br>
[Click to enlarge](img-microsoft-edge-infographic-lg.md)<br>
[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)

2
education/windows/change-history-edu.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Change history for Windows 10 for Education

2
education/windows/get-minecraft-for-education.md
View File

@ -5,7 +5,7 @@ keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# Get Minecraft: Education Edition

2
education/windows/school-get-minecraft.md
View File

@ -5,7 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# For IT administrators - get Minecraft: Education Edition

2
education/windows/set-up-school-pcs-technical.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Technical reference for the Set up School PCs app

2
education/windows/set-up-students-pcs-to-join-domain.md
View File

@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: CelesteDG
---
# Set up student PCs to join domain

2
education/windows/set-up-students-pcs-with-apps.md
View File

@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: CelesteDG
---
# Provision student PCs with apps

2
education/windows/set-up-windows-10.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Provisioning options for Windows 10

2
education/windows/take-a-test-app-technical.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Take a Test app technical reference

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Set up Take a Test on multiple PCs

2
education/windows/take-a-test-single-pc.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Set up Take a Test on a single PC

2
education/windows/take-tests-in-windows-10.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Take tests in Windows 10

2
education/windows/teacher-get-minecraft.md
View File

@ -5,7 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# For teachers - get Minecraft: Education Edition

2
education/windows/use-set-up-school-pcs-app.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Use the Set up School PCs app

15
windows/keep-secure/credential-guard.md
View File

@ -98,7 +98,7 @@ The following tables provide more information about the hardware, firmware, and
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide.
@ -126,11 +126,14 @@ The following tables provide more information about the hardware, firmware, and
<br>
#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10)
#### 2017 Additional security requirements starting with Windows 10, version 1703
The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify executable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
## Manage Credential Guard
@ -211,7 +214,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
```
#### Credential Guard deployment in virtual machines
@ -280,7 +283,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
 
### Check that Credential Guard is running
@ -298,7 +301,7 @@ You can use System Information to ensure that Credential Guard is running on a P
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Ready
DG_Readiness_Tool_v3.0.ps1 -Ready
```
## Considerations when using Credential Guard

10
windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see:
Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure
This topic includes the following sections:
- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy.
- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
@ -31,7 +31,7 @@ This topic includes the following sections:
A common system imaging practice in todays IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **&lt;EFI System Partition&gt;\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
Optionally, code integrity policies can align with your software catalog as well as any IT departmentapproved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computers role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au
To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
- To enable UMCI, add rule option 0 to an existing policy by running the following command:
- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0`
Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
- To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`

8
windows/keep-secure/deploy-code-integrity-policies-steps.md
View File

@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e
> **Notes**
> - By specifying the *UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:<br>**Set-RuleOption -FilePath $InitialCIPolicy -Option 0**
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
> - You can add the *Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
> - To specify that the code integrity policy scan only a specific drive, include the *ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
> - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.

8
windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
View File

@ -33,7 +33,7 @@ In addition to the hardware requirements found in [Hardware, firmware, and softw
- With Windows 10, version 1607 or Windows Server 2016:<br>
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>
- With an earlier version of Windows 10:<br>
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
> **Note**&nbsp;&nbsp;You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.
@ -91,7 +91,7 @@ There are multiple ways to configure VBS features for Device Guard:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
- With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
- With earlier versions of Windows 10:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
@ -183,7 +183,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
If you want to customize the preceding recommended settings, use the following settings.
@ -211,7 +211,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
``` command
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Validate enabled Device Guard hardware-based security features

2
windows/keep-secure/hello-identity-verification.md
View File

@ -115,8 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778)
[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928)
## Related topics
- [How Windows Hello for Business works](hello-how-it-works.md)

2
windows/keep-secure/hello-why-pin-is-better-than-password.md
View File

@ -32,7 +32,7 @@ A password is transmitted to the server -- it can be intercepted in transmission
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
>[!NOTE]
>For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).
 
## PIN is backed by hardware

22
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -43,18 +43,18 @@ The following tables provide more information about the hardware, firmware, and
> **Notes**
> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
> - Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Device Guard requirements for baseline protections
|Baseline Protections - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).<br><br>**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. |
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
@ -62,7 +62,7 @@ The following tables provide more information about the hardware, firmware, and
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
@ -70,24 +70,26 @@ The following tables describes additional hardware and firmware requirements, an
<br>
### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016)
### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016
> **Important**&nbsp;&nbsp;The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx). <br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
<br>
### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017)
#### Additional Qualification Requirements starting with Windows 10, version 1703
| Protections for Improved Security - requirement | Description |
The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements.
| Protection for Improved Security | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **UEFI NX Protections** | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify executable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
## Device Guard deployment in different scenarios: types of devices

2
windows/manage/TOC.md
View File

@ -162,6 +162,7 @@
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
@ -221,4 +222,5 @@
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
## [Windows Libraries](windows-libraries.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

3
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Windows Libraries](windows-libraries.md) | New |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
| [Get started with Update Compliance](update-compliance-get-started.md) | New |
| [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 
 

2
windows/manage/cortana-at-work-o365.md
View File

@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when its turned on. If yo
**To turn off Cortana with Office 365**
1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
3. Expand **Service Settings**, and select **Cortana**.

2
windows/manage/cortana-at-work-overview.md
View File

@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro
- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US)
- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)

4
windows/manage/cortana-at-work-powerbi.md
View File

@ -19,7 +19,7 @@ localizationpriority: high
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
>[!Note]
>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
## Before you begin
To use this walkthrough, youll need:
@ -135,4 +135,4 @@ Now that youve set up your device, you can use Cortana to show your info from
![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png)
>[!NOTE]
>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).

6
windows/manage/cortana-at-work-voice-commands.md
View File

@ -19,7 +19,7 @@ localizationpriority: high
Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
>[!NOTE]
>For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
## High-level process
Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
@ -30,9 +30,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, its best for that to happen in the foreground. However, if the app only uses basic commands and doesnt require interaction, it can happen in the background.
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.

4
windows/manage/index.md
View File

@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.
<td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
<td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows Libraries](windows-libraries.md)</p></td>
<td align="left"><p>Libraries are virtual containers for users content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>

193
windows/manage/waas-delivery-optimization.md
View File

@ -32,14 +32,48 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
Several Delivery Optimization features are configurable.
Several Delivery Optimization features are configurable:
<span id="download-mode"/>
| Group Policy setting | MDM setting |
| --- | --- |
| [Download mode](#download-mode) | DODownloadMode |
| [Group ID](#group-id) | DOGroupID |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize |
| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
### Download mode (DODownloadMode)
When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario:
- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
There are additional options available to robustly control the impact Delivery Optimization has on your network:
- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings.
### Download mode
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
@ -55,176 +89,51 @@ Download mode dictates which download sources clients are allowed to use when do
>[!NOTE]
>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
### Group ID (DOGroupID)
### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Max Cache Age (DOMaxCacheAge)
### Max Cache Age
In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
### Max Cache Size (DOMaxCacheSize)
### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
### Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
### Max Upload Bandwidth (DOMaxUploadBandwidth)
### Max Upload Bandwidth
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Minimum Background QoS (DOMinBackgroundQoS)
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
### Modify Cache Drive (DOModifyCacheDrive)
### Modify Cache Drive
This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
## Delivery Optimization configuration examples
Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
### Use Delivery Optimzation with group download mode
Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
**To use Group Policy to configure Delivery Optimization for group download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization Group**.
5. Right-click the **Delivery Optimization Group** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **Group** download mode.
9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
10. Click **OK**, and then close the Group Policy Management Editor.
11. In GPMC, select the **Delivery Optimization Group** policy.
12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
**To use Intune to configure Delivery Optimization for group download mode**
1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
7. In the **Value** box, type **2**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
8. Click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB1** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
### Use WSUS and BranchCache with Windows 10, version 1511
In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
**To use Group Policy to configure HTTP only download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization HTTP Only**.
5. Right-click the **Delivery Optimization HTTP Only** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **HTTP only** download mode.
9. Click **OK**, and then close the Group Policy Management Editor.
10. In GPMC, select the **Delivery Optimization HTTP Only** policy.
11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
![example of UI](images/waas-do-fig4.png)
>[!NOTE]
>This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
### Use WSUS and BranchCache with Windows 10, version 1607
In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
**To use Group Policy to enable the Bypass download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization Bypass**.
5. Right-click the **Delivery Optimization Bypass** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
9. Click **OK**, and then close the Group Policy Management Editor.
10. In GPMC, select the **Delivery Optimization Bypass** policy.
11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
>[!NOTE]
>This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
### Set “preferred” cache devices for Delivery Optimization
<span id="set-preferred-cache-devices"/>
## Set “preferred” cache devices for Delivery Optimization
In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devicess configuration (Delivery Optimization only caches content relative to the client downloading the content).