deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'rs2' of https://github.com/Microsoft/win-cpub-itpro-docs into rs2

Browse Source
This commit is contained in:
jdeckerMS
2017-03-21 08:16:16 -07:00
parent f87357d615 0a44e0c525
commit 6f0a1f7f59
5 changed files with 186 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/update/images/waas-wufb-settings-branch.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/update/images/waas-wufb-settings-defer.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

110
windows/update/waas-configure-wufb.md
View File

@ -18,7 +18,7 @@ localizationpriority: high
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
>[!IMPORTANT]
>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
@ -32,27 +32,35 @@ By grouping devices with similar deferral periods, administrators are able to cl
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
<span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing).
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches).
**Release branch policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.
![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
>[!NOTE]
>Users will not be able to change this setting if it was configured by policy.
## Configure when devices receive Feature Updates
After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
>
>You can only defer up to 180 days prior to version 1703.
**Examples**
@ -66,16 +74,28 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
>[!NOTE]
>If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
## Pause Feature Updates
You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
With version 1703, pause will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
@ -83,12 +103,11 @@ You can also pause a device from receiving Feature Updates by a period of up to
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
@ -99,6 +118,8 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
| 1 | Feature Updates paused |
| 2 | Feature Updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
## Configure when devices receive Quality Updates
@ -113,16 +134,28 @@ You can set your system to receive updates for other Microsoft products—known
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
>[!NOTE]
>If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
## Pause Quality Updates
You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pause will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
>[!IMPORTANT]
>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
@ -130,12 +163,11 @@ You can also pause a system from receiving Quality Updates for a period of up to
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates</br>**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates</br>**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
@ -146,22 +178,23 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
| 1 | Quality Updates paused |
| 2 | Quality Updates have auto-resumed after being paused |
>[!NOTE]
>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
## Exclude drivers from Quality Updates
In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
**Exclude driver policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Summary: MDM and Group Policy for version 1703
## Summary: MDM and Group Policy for version 1607
Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above.
**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
@ -169,11 +202,11 @@ Below are quick-reference tables of the supported Windows Update for Business po
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: dont defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates</br>Other value or absent: dont defer feature updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
| PauseFeatureUpdates | REG_DWORD |1: pause feature updates</br>Other value or absent: dont pause feature updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates</br>Other value or absent: dont pause feature updates |
| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
@ -182,19 +215,19 @@ Below are quick-reference tables of the supported Windows Update for Business po
| MDM Key | Key type | Value |
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates</br>Other value or absent: dont pause feature updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days |
| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days |
| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates</br>Other value or absent: dont pause feature updates |
| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
## Update devices from Windows 10, version 1511 to version 1607
## Update devices to newer versions
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
### How version 1511 policies are respected on version 1607
### How older version policies are respected on newer versions
When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent.
When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent.
### Comparing the version 1511 keys to the version 1607 keys
@ -209,9 +242,12 @@ Enabling allows user to set deferral periods for upgrades and updates. It also
<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>&nbsp;&nbsp;&nbsp;Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp; Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td></tr>
</tbody></table>
### Comparing the version 1607 keys to the version 1703 keys
| Version 1607 key | Version 1703 key |
| --- | --- |
| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
| PauseQualityUpdates | PauseQualityUpdatesStartTime |
## Related topics

46
windows/update/waas-delivery-optimization.md
View File

@ -41,15 +41,20 @@ Several Delivery Optimization features are configurable:
| --- | --- |
| [Download mode](#download-mode) | DODownloadMode |
| [Group ID](#group-id) | DOGroupID |
| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer |
| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize |
| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache |
| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching |
| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload |
When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
@ -65,12 +70,20 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services. Administrators may choose to change it, which will result in increased performance, when local storage is sufficient and the network isn't strained or congested. [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) determines the minimum size of files to be cached.
There are additional options available to robustly control the impact Delivery Optimization has on your network:
- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
Various controls allow administrators to further customize scenarios where Delivery Optimization will be used:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur.
### How Microsoft uses Delivery Optimization
In Microsoft, to help ensure that ongoing deployments werent affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
@ -102,7 +115,20 @@ By default, peer sharing on clients using the group download mode is limited to
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
>
>This configuration is optional and not required for most implementations of Delivery Optimization.
<span id="minimum-ram-allowed-to-use-peer-caching"/>
### Minimum RAM (inclusive) allowed to use Peer Caching
This setting specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB.
### Minimum disk size allowed to use Peer Caching
This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. The recommended values are 64 to 256 GB.
>[!NOTE]
>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy.
### Max Cache Age
In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
@ -113,7 +139,11 @@ This setting limits the maximum amount of space the Delivery Optimization cache
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB.
### Minimum Peer Caching Content File Size
This setting specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. The recommended values are from 1 to 100000 MB.
### Maximum Download Bandwidth
@ -138,7 +168,17 @@ This setting allows for an alternate Delivery Optimization cache location on the
### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
### Enable Peer Caching while the device connects via VPN
This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
### Allow uploads while the device is on battery while under set Battery level
This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%).
The device can download from peers while on battery regardless of this policy.
The value 0 means not limited, which means the cloud service set default value will be used.
<span id="set-preferred-cache-devices"/>
## Set “preferred” cache devices for Delivery Optimization

91
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -48,16 +48,26 @@ The following new Group Policy and mobile device management (MDM) settings are a
### Kiosk mode for Windows 10 Mobile
In Windows 10 Mobile, version 1703, [Apps Corner](https://support.microsoft.com/instantanswers/7959c547-aa80-5ff1-9097-1784b6894845/set-up-apps-corner) is removed. Enterprises can use [Enterprise Assigned Access to configure kiosk experiences](../configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) on devices running Windows 10 Mobile.
In Windows 10 Mobile, version 1703, [Apps Corner](https://support.microsoft.com/instantanswers/7959c547-aa80-5ff1-9097-1784b6894845/set-up-apps-corner) is removed. Enterprises can use [Enterprise Assigned Access to configure kiosk experiences](../configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) on devices running Windows 10 Mobile.
### Start and taskbar layout
Enterprises can apply a customized Start and tasbkar layout to devices running Windows 10 Pro, version 1703.
Enterprises can apply a customized Start and tasbkar layout to devices running Windows 10 Pro, version 1703.
Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
## Deployment
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability and supports additional partition types. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
### Cortana at work
Cortana is Microsofts personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
@ -67,34 +77,52 @@ Using Azure AD also means that you can remove an employees profile (for examp
## Security
### Windows Defender Advanced Threat Protection (Windows Defender ATP)
The following features have been added to Windows Defender ATP in Windows 10, version 1703.
- **Detection**<br>
Enhancements to the detection capabilities include:
- [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- Upgraded detections of ransomware and other advanced attacks
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed
- **Investigation**<br>
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
Other investigation enhancements include:
- [Investigate a user account](../keep-secure/investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- [Alert process tree](../keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- [Pull alerts using REST API](../keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - Use REST API to pull alerts from Windows Defender ATP.
- **Response**<br>
When detecting an attack, security response teams can now take immediate action to contain a breach:
- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
- [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
- [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
- [Take response actions on a machine](../keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](../keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
- [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
- [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
- [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
- **Investigation**<br>
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal.
- **Other features**
- [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
Other investigation capabilities include:
- [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
### Windows Defender Antivirus (Windows Defender AV)
New features for Windows Defender AV in Windows 10, version 1703 include:
- **Detection**<br>
Windows Creators Update improves OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
The new library includes information on:
- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md)
- [Managing updates](../keep-secure/manage-updates-baselines-windows-defender-antivirus.md)
- [Reporting](../keep-secure/report-monitor-windows-defender-antivirus.md)
- [Configuring features](../keep-secure/configure-windows-defender-antivirus-features.md)
- [Troubleshooting](../keep-secure/troubleshoot-windows-defender-antivirus.md)
Some of the highlights of the new library include:
- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
Other detection capabilities include:
- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
### Device Guard and Credential Guard
@ -105,6 +133,27 @@ For more information, see [Device Guard Requirements](../keep-secure/requirement
The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
## Update
### Windows Update for Business
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-feature-updates#pause-quality-updates).
You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
### Delivery Optimization
Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
Added policies include:
- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
- [Enable Peer Caching while the device connects via VPN](../update/waas-delivery-optimization.md#enable-peer-caching-while-the-device-connects-via-vpn)
- [Minimum RAM (inclusive) allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-ram-allowed-to-use-peer-caching)
- [Minimum disk size allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-disk-size-allowed-to-use-peer-caching)
- [Minimum Peer Caching Content File Size](../update/waas-delivery-optimization.md#minimum-peer-caching-content-file-size)
To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
## Learn more
- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)