From b7d4bc5caf926b7375194ea556652fd56f5d4a87 Mon Sep 17 00:00:00 2001 From: Andrei-George Stoica <5600871+andreiztm@users.noreply.github.com> Date: Fri, 11 Apr 2025 14:28:41 +0300 Subject: [PATCH 01/22] Update mcc-ent-edu-overview.md --- windows/deployment/do/mcc-ent-edu-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index c730c9e094..5dfeba891b 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -89,8 +89,8 @@ The following diagram displays an overview of how Connected Cache functions: 1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services. 1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key. 1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content. -1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. -You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports. +1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. If the cache server fails to respond, the client downloads the content from the CDN. To delay this behavior, set the [DelayCacheServerFallbackForeground/DelayCacheServerFallbackBackground](/windows/deployment/do/waas-delivery-optimization-reference#delay-foreground-download-cache-server-fallback-in-secs) setting(s) to avoid the immediate fallback. You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports. + ## Next steps From a40ec2d60dd1f5436d0445ac0455ac90da80bd91 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 13:21:30 -0600 Subject: [PATCH 02/22] Updates from documentation backlog, various issues --- .../do/delivery-optimization-endpoints.md | 1 + .../do/waas-delivery-optimization-faq.yml | 20 ++++++++++++++----- .../waas-delivery-optimization-reference.md | 4 ++-- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index 1f8366e62b..a74dad67bc 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -39,3 +39,4 @@ Use the table below to reference any particular content types or services endpoi | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Connected Cache Managed in Azure | | *.ubuntu.com, api.snapcraft.io | HTTP / 80
HTTPs / 443 | Ubuntu package updates | Used by Linux distribution image in WSL on Windows host machine to deploy Connected Cache. | Connected Cache Managed in Azure | | packages.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft package updates | Used to deploy required Connected Cache packages to Windows and Linux host machines. | Connected Cache Managed in Azure | +| aka.ms, raw.githubusercontent.com | HTTPs / 443 | Azure IoT Identity Service | Checks the identity service version file is the latest version. | Connected Cache Managed in Azure | diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 8b0fb66a41..ac39b7b118 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -17,7 +17,7 @@ metadata: - ✅ Windows 10 - ✅ Windows Server 2019, and later - ✅ Delivery Optimization - ms.date: 02/27/2025 + ms.date: 04/14/2025 title: Frequently Asked Questions about Delivery Optimization summary: | This article answers frequently asked questions about Delivery Optimization. @@ -30,6 +30,8 @@ summary: | - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected) - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization) - [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it) + - [What do the Delivery Optimization error codes mean?](#delivery-optimization-error-codes) + - [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-calculate-the-allowed-bandwidth) **Network related configuration questions**: @@ -74,12 +76,21 @@ sections: > [!NOTE] > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. - - question: My download is failing with error code 0x80d03002, how do I fix it? answer: | If you set the DownloadMode policy to '100' (Bypass) some content downloads that require Delivery Optimization may fail with error code 0x80d03002. If you intend to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. + - question: What do the Delivery Optimization error codes mean? + answer: | + For a list of Delivery Optimization common error codes, see the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). Here you'll find a list of error codes and their descriptions. Using the Delivery Optimization Troubleshooter, can help identify any issues with Delivery Optimization and provide you with the steps to fix them. The tool can also help you identify and fix common issues with Delivery Optimization. + - question: How does Delivery Optimization measure and throttle download bandwidth? + answer: | + By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not for LAN peers. The same target downloads speed Delivery Optimization measures the download throughput that is available all the way to the source. It doesn’t just consider the local NIC but rather performs a “speed test” against the source it is pulling from at a given moment. The “speed test” is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. + + Throttling will apply only to downloads from the “Internet” which include the HTTP source for the download as well as Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) allows users to change these values via sliders. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. + + For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options). - name: Network related configuration questions questions: @@ -139,7 +150,7 @@ sections: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? answer: | - Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - question: How does Delivery Optimization handle VPNs? answer: | Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." @@ -169,7 +180,7 @@ sections: For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? answer: | - Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses (defined by RFC 1918). If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. > [!NOTE] > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. @@ -185,4 +196,3 @@ sections: 1. In the search box on the taskbar, type **Disk Cleanup**, and then select it from the list of results. 1. On the **Disk Cleanup** tab, select the **Delivery Optimization Files** check box. 1. Select **OK**. On the dialog that appears, select **Delete Files**. - diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 8ea753be60..262a2b46c2 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -293,7 +293,7 @@ This setting determines whether a device will be allowed to participate in Peer MDM Setting: **DOVpnKeywords** -This policy allows you to configure one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not configured so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to add unique VPN names to meet the needs of individual environments. +This policy allows you to configure one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not configured so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to add unique VPN names to meet the needs of individual environments. This policy is applied only when the network adapter identifies as ```IF_TYPE_ETHERNET_CSMACD``` or ```IF_TYPE_TUNNEL``` interface types. ### Disallow cache server downloads on VPN @@ -329,7 +329,7 @@ This policy allows you to specify how your client(s) can discover Delivery Optim - 1 = DHCP Option 235. - 2 = DHCP Option 235 Force. -With either option, the client queries DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. **By default, this policy has no value.** +With either option, the client queries DHCP Option ID 235 and uses the returned value as the Cache Server Hostname. If [DOCacheHost](#cache-server-hostname) policy is also configured, then DHCP Option 235 Force (2) is required to override it. **By default, this policy has no value.** Configure this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your DHCP server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. From e04f071ee7d11f1eb2b3d97e765e83e4421a59d5 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 13:24:55 -0600 Subject: [PATCH 03/22] updated doc revision dates --- windows/deployment/do/delivery-optimization-endpoints.md | 2 +- windows/deployment/do/waas-delivery-optimization-reference.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index a74dad67bc..e4f3e8e804 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -14,7 +14,7 @@ appliesto: - ✅ Microsoft Connected Cache for ISPs - ✅ Microsoft Connected Cache for Enterprise and Education - ✅ Connected Cache on a Configuration Manager distribution point -ms.date: 05/23/2024 +ms.date: 04/15/2025 --- # Microsoft Connected Cache content and services endpoints diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 262a2b46c2..ae091ccf55 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -14,7 +14,7 @@ appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization -ms.date: 04/03/2025 +ms.date: 04/15/2025 --- # Delivery Optimization reference From 5b787bb4091df7838135b9e6320ab6161133a1a0 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 13:29:43 -0600 Subject: [PATCH 04/22] fix broken links --- windows/deployment/do/waas-delivery-optimization-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index ac39b7b118..fe902c5956 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -30,8 +30,8 @@ summary: | - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected) - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization) - [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it) - - [What do the Delivery Optimization error codes mean?](#delivery-optimization-error-codes) - - [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-calculate-the-allowed-bandwidth) + - [What do the Delivery Optimization error codes mean?](#what-do-the-delivery-optimization-error-codes-mean) + - [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-measure-and-throttle-download-bandwidth) **Network related configuration questions**: From 8c9ee41c194e00442969e695109ef7e9f0fa0f12 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 13:40:10 -0600 Subject: [PATCH 05/22] more concise wording --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index fe902c5956..987bb61b79 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -83,7 +83,7 @@ sections: Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. - question: What do the Delivery Optimization error codes mean? answer: | - For a list of Delivery Optimization common error codes, see the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). Here you'll find a list of error codes and their descriptions. Using the Delivery Optimization Troubleshooter, can help identify any issues with Delivery Optimization and provide you with the steps to fix them. The tool can also help you identify and fix common issues with Delivery Optimization. + For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter]((http://aka.ms/do-fix)). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively. - question: How does Delivery Optimization measure and throttle download bandwidth? answer: | By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not for LAN peers. The same target downloads speed Delivery Optimization measures the download throughput that is available all the way to the source. It doesn’t just consider the local NIC but rather performs a “speed test” against the source it is pulling from at a given moment. The “speed test” is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. From 27fc0514f41d5b296ee6a2b5494620b6bf4d0c94 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 13:55:10 -0600 Subject: [PATCH 06/22] clearer wording --- windows/deployment/do/waas-delivery-optimization-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 987bb61b79..0f49a29649 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -83,12 +83,12 @@ sections: Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. - question: What do the Delivery Optimization error codes mean? answer: | - For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter]((http://aka.ms/do-fix)). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively. + For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively. - question: How does Delivery Optimization measure and throttle download bandwidth? answer: | - By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not for LAN peers. The same target downloads speed Delivery Optimization measures the download throughput that is available all the way to the source. It doesn’t just consider the local NIC but rather performs a “speed test” against the source it is pulling from at a given moment. The “speed test” is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. + By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not used for LAN peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. - Throttling will apply only to downloads from the “Internet” which include the HTTP source for the download as well as Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) allows users to change these values via sliders. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. + Throttling will apply only to downloads from the “Internet” which include the HTTP source and Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options). From 6c06e5365b2d627ec8adeb9b65d61441105e293a Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 15:37:49 -0600 Subject: [PATCH 07/22] lower case internet --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 0f49a29649..e28da5acf8 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -88,7 +88,7 @@ sections: answer: | By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not used for LAN peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. - Throttling will apply only to downloads from the “Internet” which include the HTTP source and Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. + Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options). From bef23abdffc23d61343e89b17112dbe57e604ae3 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 15 Apr 2025 17:30:30 -0600 Subject: [PATCH 08/22] address feedback --- windows/deployment/do/waas-delivery-optimization-faq.yml | 9 ++++++--- .../do/waas-delivery-optimization-reference.md | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index e28da5acf8..ac99650e32 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -86,12 +86,15 @@ sections: For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively. - question: How does Delivery Optimization measure and throttle download bandwidth? answer: | - By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers, but not used for LAN peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. - - Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. Throttling will not apply to downloads from LAN peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. + By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network. + Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies. + For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options). + > [!NOTE] + > For LAN peers, neither the target download speed is calculated nor is throttling applied. + - name: Network related configuration questions questions: - question: Which ports does Delivery Optimization use? diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index ae091ccf55..6b8d4b592b 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -293,7 +293,7 @@ This setting determines whether a device will be allowed to participate in Peer MDM Setting: **DOVpnKeywords** -This policy allows you to configure one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not configured so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to add unique VPN names to meet the needs of individual environments. This policy is applied only when the network adapter identifies as ```IF_TYPE_ETHERNET_CSMACD``` or ```IF_TYPE_TUNNEL``` interface types. +This policy allows you to configure one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not configured so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to add unique VPN names to meet the needs of individual environments. ### Disallow cache server downloads on VPN From 5eb09f584906dc73f02fd704912265a04adad15f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 16 Apr 2025 15:22:58 -0700 Subject: [PATCH 09/22] Update windows/deployment/do/mcc-ent-edu-overview.md --- windows/deployment/do/mcc-ent-edu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/mcc-ent-edu-overview.md b/windows/deployment/do/mcc-ent-edu-overview.md index 5dfeba891b..ab381b007f 100644 --- a/windows/deployment/do/mcc-ent-edu-overview.md +++ b/windows/deployment/do/mcc-ent-edu-overview.md @@ -89,7 +89,7 @@ The following diagram displays an overview of how Connected Cache functions: 1. The Microsoft Connected Cache container is deployed to the device using Azure IoT Edge container management services and the cache server begins reporting status and metrics to Delivery Optimization services. 1. The DOCacheHost setting is configured using Intune or other MDM, DHCP custom option, or registry key. 1. Devices request content from the cache server, the cache server forwards the requests to the CDN and fills the cache, the cache server delivers the content requested to the devices, and uses Peer to Peer (depending on DO Download mode settings) for all DO content. -1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. If the cache server fails to respond, the client downloads the content from the CDN. To delay this behavior, set the [DelayCacheServerFallbackForeground/DelayCacheServerFallbackBackground](/windows/deployment/do/waas-delivery-optimization-reference#delay-foreground-download-cache-server-fallback-in-secs) setting(s) to avoid the immediate fallback. You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports. +1. Devices can fall back to CDN if the cache server is unavailable for any reason or use Delivery Optimization delay fallback to http (CDN) settings to prefer the local cache server. If the cache server fails to respond, the client downloads the content from the CDN. To delay this behavior, set the [DelayCacheServerFallbackForeground/DelayCacheServerFallbackBackground](/windows/deployment/do/waas-delivery-optimization-reference#delay-foreground-download-cache-server-fallback-in-secs) setting to avoid the immediate fallback. You can view data about Microsoft Connected Cache downloads on management portal and Windows Update for Business reports. ## Next steps From 423938f5cb7c7fab4fe7134d04384e16ed4d0864 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 17 Apr 2025 16:28:10 -0600 Subject: [PATCH 10/22] Update version support --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index ac99650e32..b3f56fedfd 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -153,7 +153,7 @@ sections: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? answer: | - Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + Starting in Windows 11 22H2, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - question: How does Delivery Optimization handle VPNs? answer: | Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." From b94d362c53c8905f73361149e01640127104f769 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 17 Apr 2025 16:15:29 -0700 Subject: [PATCH 11/22] Update windows/deployment/do/waas-delivery-optimization-faq.yml --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index b3f56fedfd..1ef7f16540 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -153,7 +153,7 @@ sections: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? answer: | - Starting in Windows 11 22H2, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + Starting in Windows 11, version 22H2, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - question: How does Delivery Optimization handle VPNs? answer: | Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." From f0d0584df2336a0e2bad88d534d487998da876a8 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Fri, 18 Apr 2025 09:41:07 -0700 Subject: [PATCH 12/22] Fix link issue --- windows/privacy/manage-windows-1809-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index f67087eb36..ab2077895d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -459,8 +459,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | svchost | HTTPS | `*.delivery.mp.microsoft.com` | These are dependent on enabling: -- [Device authentication](manage-windows-1809-endpoints.md#device-authentication) -- [Microsoft account](manage-windows-1809-endpoints.md#microsoft-account) +- [Device authentication](#device-authentication) +- [Microsoft account](#microsoft-account) The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. From 84f54d33f5b362f8d9a38067f75960b07e14ab77 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 21 Apr 2025 10:06:49 +0200 Subject: [PATCH 13/22] Notes about VBS starting on 24H2 --- .../hello-for-business/includes/expiration.md | 3 +++ .../identity-protection/hello-for-business/includes/history.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index f73356aa04..498fe0730d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -15,3 +15,6 @@ The default value is 0. |--|--| | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityexpiration)

`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityexpiration](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityexpiration) | | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| + +> [!NOTE] +> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN expiration is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 3aad27181a..80d06d2b1b 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -18,3 +18,6 @@ The default value is 0. |--|--| | **CSP** | `./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[devicetenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#devicetenantidpoliciespincomplexityhistory)

`./User/Vendor/MSFT/PassportForWork/{TenantId}/Policies/PINComplexity/`[usertenantidpoliciespincomplexityhistory](/windows/client-management/mdm/passportforwork-csp#usertenantidpoliciespincomplexityhistory) | | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | + +> [!NOTE] +> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN history is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. From 497e412a379cfea406ed89c515c143e302f3aad4 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 21 Apr 2025 09:21:58 -0600 Subject: [PATCH 14/22] CSP Changes March --- .../mdm/policies-in-preview.md | 29 +- .../policy-configuration-service-provider.md | 3 +- .../mdm/policy-csp-lanmanserver.md | 557 ++++++++++++ windows/client-management/mdm/toc.yml | 7 + .../mdm/wirelessnetworkpreference-csp.md | 844 ++++++++++++++++++ .../mdm/wirelessnetworkpreference-ddf-file.md | 543 +++++++++++ 6 files changed, 1981 insertions(+), 2 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-lanmanserver.md create mode 100644 windows/client-management/mdm/wirelessnetworkpreference-csp.md create mode 100644 windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index 6aaae7383f..9be89eb1f4 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 04/04/2025 +ms.date: 04/21/2025 ms.topic: generated-reference --- @@ -111,6 +111,17 @@ This article lists the policies that are applicable for Windows Insider Preview - [StartInstallation](language-pack-management-csp.md#installlanguage-idstartinstallation) - [SystemPreferredUILanguages](language-pack-management-csp.md#languagesettingssystempreferreduilanguages) +## LanmanServer + +- [AuditClientDoesNotSupportEncryption](policy-csp-lanmanserver.md#auditclientdoesnotsupportencryption) +- [AuditClientDoesNotSupportSigning](policy-csp-lanmanserver.md#auditclientdoesnotsupportsigning) +- [AuditInsecureGuestLogon](policy-csp-lanmanserver.md#auditinsecureguestlogon) +- [AuthRateLimiterDelayInMs](policy-csp-lanmanserver.md#authratelimiterdelayinms) +- [EnableAuthRateLimiter](policy-csp-lanmanserver.md#enableauthratelimiter) +- [EnableMailslots](policy-csp-lanmanserver.md#enablemailslots) +- [MaxSmb2Dialect](policy-csp-lanmanserver.md#maxsmb2dialect) +- [MinSmb2Dialect](policy-csp-lanmanserver.md#minsmb2dialect) + ## LanmanWorkstation - [AuditInsecureGuestLogon](policy-csp-lanmanworkstation.md#auditinsecureguestlogon) @@ -218,6 +229,22 @@ This article lists the policies that are applicable for Windows Insider Preview - [DisableSubscription](windowslicensing-csp.md#subscriptionsdisablesubscription) - [RemoveSubscription](windowslicensing-csp.md#subscriptionsremovesubscription) +## WirelessNetworkPreference CSP + +- [IsEnabled](wirelessnetworkpreference-csp.md#isenabled) +- [PreferCellularOverWiFi](wirelessnetworkpreference-csp.md#prefercellularoverwifi) +- [eSIMprofilesCount](wirelessnetworkpreference-csp.md#statusesimprofilescount) +- [eSIMprofilesMatched](wirelessnetworkpreference-csp.md#statusesimprofilesmatched) +- [eSIMpolicyStatus](wirelessnetworkpreference-csp.md#statusesimpolicystatus) +- [NetworkDiscoveryOption](wirelessnetworkpreference-csp.md#parameterscellularparametersnetworkdiscoveryoption) +- [MaxRescanIntervalInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparametersmaxrescanintervalinseconds) +- [PreferredProfileWakeConnectionTimerInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparameterspreferredprofilewakeconnectiontimerinseconds) +- [ProfileRegistrationTimerInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparametersprofileregistrationtimerinseconds) +- [ScreenOffDurationToTriggerNetworkDiscoveryInMinutes](wirelessnetworkpreference-csp.md#parameterscellularparametersscreenoffdurationtotriggernetworkdiscoveryinminutes) +- [Priority](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidpriority) +- [WirelessType](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidwirelesstype) +- [PLMNID](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidcellularplmnid) + ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index d71bb02821..d622986db6 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,7 +1,7 @@ --- title: Policy CSP description: Learn more about the Policy CSP. -ms.date: 03/12/2025 +ms.date: 04/21/2025 ms.topic: generated-reference --- @@ -1120,6 +1120,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [InternetExplorer](policy-csp-internetexplorer.md) - [Kerberos](policy-csp-kerberos.md) - [KioskBrowser](policy-csp-kioskbrowser.md) +- [LanmanServer](policy-csp-lanmanserver.md) - [LanmanWorkstation](policy-csp-lanmanworkstation.md) - [Licensing](policy-csp-licensing.md) - [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) diff --git a/windows/client-management/mdm/policy-csp-lanmanserver.md b/windows/client-management/mdm/policy-csp-lanmanserver.md new file mode 100644 index 0000000000..7319615e1f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-lanmanserver.md @@ -0,0 +1,557 @@ +--- +title: LanmanServer Policy CSP +description: Learn more about the LanmanServer Area in Policy CSP. +ms.date: 04/21/2025 +ms.topic: generated-reference +--- + + + + +# Policy CSP - LanmanServer + +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + + + + + + +## AuditClientDoesNotSupportEncryption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditClientDoesNotSupportEncryption +``` + + + + +This policy controls whether the SMB server will log the event when the SMB client doesn't support encryption. + +- If you enable this policy setting, the SMB server will log the event when the SMB client doesn't support encryption. + +- If you disable or don't configure this policy setting, the SMB server won't log the event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditClientDoesNotSupportEncryption | +| Friendly Name | Audit client does not support encryption | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | AuditClientDoesNotSupportEncryption | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## AuditClientDoesNotSupportSigning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditClientDoesNotSupportSigning +``` + + + + +This policy controls whether the SMB server will log the event when the SMB client doesn't support signing. + +If you enable this policy setting, the SMB server will log the event when the SMB client doesn't support signing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditClientDoesNotSupportSigning | +| Friendly Name | Audit client does not support signing | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | AuditClientDoesNotSupportSigning | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## AuditInsecureGuestLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuditInsecureGuestLogon +``` + + + + +This policy controls whether the SMB server will enable the audit event when the client is logged-on as guest account. + +- If you enable this policy setting, the SMB server will log the event when the client is logged-on as guest account. + +- If you disable or don't configure this policy setting, the SMB server won't log the event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuditInsecureGuestLogon | +| Friendly Name | Audit insecure guest logon | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | AuditInsecureGuestLogon | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## AuthRateLimiterDelayInMs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/AuthRateLimiterDelayInMs +``` + + + + +This policy controls whether the SMB server will use a default value in milliseconds for the invalid authentication delay. + +- If you configure this policy setting, the authentication rate limiter will use the specified value for delaying invalid authentication attempts. + +- If you don't configure this policy setting, the authentication rate limiter will use the default value or the value from local registry under HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-10000]` | +| Default Value | 2000 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AuthRateLimiterDelayInMs | +| Friendly Name | Set authentication rate limiter delay (milliseconds) | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## EnableAuthRateLimiter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/EnableAuthRateLimiter +``` + + + + +This policy controls whether the SMB server will enable or disable the authentication rate limiter. + +- If you disable this policy setting, the authentication rate limiter won't be enabled. + +- If you don't configure this policy setting, the authentication rate limiter may still be working depending on the delay settings (the recommended delay value is 2000ms). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_EnableAuthRateLimiter | +| Friendly Name | Enable authentication rate limiter | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | EnableAuthRateLimiter | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## EnableMailslots + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/EnableMailslots +``` + + + + +This policy controls whether the SMB server will enable or disable remote mailslots over the computer browser service. + +- If you disable this policy setting, the computer browser service will no longer run as expected. + +- If you don't configure this policy setting, the computer browser may still be working with remote mailslots enabled. + +> [!NOTE] +> This policy requires a Windows reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_EnableMailslots | +| Friendly Name | Enable remote mailslots | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\Bowser | +| Registry Value Name | EnableMailslots | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## MaxSmb2Dialect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/MaxSmb2Dialect +``` + + + + +This policy controls the maximum version of SMB protocol. + +> [!NOTE] +> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 785 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 514 | SMB 2.0.2. | +| 528 | SMB 2.1.0. | +| 768 | SMB 3.0.0. | +| 770 | SMB 3.0.2. | +| 785 (Default) | SMB 3.1.1. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MaxSmb2Dialect | +| Friendly Name | Mandate the maximum version of SMB | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + +## MinSmb2Dialect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100.3613] and later
✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanServer/MinSmb2Dialect +``` + + + + +This policy controls the minimum version of SMB protocol. + +> [!NOTE] +> This group policy doesn't prevent use of SMB 1 if that component is still installed and enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 514 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 514 (Default) | SMB 2.0.2. | +| 528 | SMB 2.1.0. | +| 768 | SMB 3.0.0. | +| 770 | SMB 3.0.2. | +| 785 | SMB 3.1.1. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MinSmb2Dialect | +| Friendly Name | Mandate the minimum version of SMB | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 28c696c112..51966229d9 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -471,6 +471,8 @@ items: href: policy-csp-kerberos.md - name: KioskBrowser href: policy-csp-kioskbrowser.md + - name: LanmanServer + href: policy-csp-lanmanserver.md - name: LanmanWorkstation href: policy-csp-lanmanworkstation.md - name: Licensing @@ -999,3 +1001,8 @@ items: items: - name: WiredNetwork DDF file href: wirednetwork-ddf-file.md + - name: WirelessNetworkPreference + href: wirelessnetworkpreference-csp.md + items: + - name: WirelessNetworkPreference DDF file + href: wirelessnetworkpreference-ddf-file.md diff --git a/windows/client-management/mdm/wirelessnetworkpreference-csp.md b/windows/client-management/mdm/wirelessnetworkpreference-csp.md new file mode 100644 index 0000000000..b356a16a04 --- /dev/null +++ b/windows/client-management/mdm/wirelessnetworkpreference-csp.md @@ -0,0 +1,844 @@ +--- +title: WirelessNetworkPreference CSP +description: Learn more about the WirelessNetworkPreference CSP. +ms.date: 04/21/2025 +ms.topic: generated-reference +--- + + + + +# WirelessNetworkPreference CSP + +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + + + + + + +The following list shows the WirelessNetworkPreference configuration service provider nodes: + +- ./Device/Vendor/MSFT/WirelessNetworkPreference + - [ConnectionProfiles](#connectionprofiles) + - [{ConnectionProfileID}](#connectionprofilesconnectionprofileid) + - [Cellular](#connectionprofilesconnectionprofileidcellular) + - [PLMNID](#connectionprofilesconnectionprofileidcellularplmnid) + - [Priority](#connectionprofilesconnectionprofileidpriority) + - [WirelessType](#connectionprofilesconnectionprofileidwirelesstype) + - [IsEnabled](#isenabled) + - [Parameters](#parameters) + - [CellularParameters](#parameterscellularparameters) + - [MaxRescanIntervalInSeconds](#parameterscellularparametersmaxrescanintervalinseconds) + - [NetworkDiscoveryOption](#parameterscellularparametersnetworkdiscoveryoption) + - [PreferredProfileWakeConnectionTimerInSeconds](#parameterscellularparameterspreferredprofilewakeconnectiontimerinseconds) + - [ProfileRegistrationTimerInSeconds](#parameterscellularparametersprofileregistrationtimerinseconds) + - [ScreenOffDurationToTriggerNetworkDiscoveryInMinutes](#parameterscellularparametersscreenoffdurationtotriggernetworkdiscoveryinminutes) + - [PreferCellularOverWiFi](#prefercellularoverwifi) + - [Status](#status) + - [eSIMpolicyStatus](#statusesimpolicystatus) + - [eSIMprofilesCount](#statusesimprofilescount) + - [eSIMprofilesMatched](#statusesimprofilesmatched) + + + +## ConnectionProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles +``` + + + + +Profiles to connect to wireless networks in a specified priority order. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +### ConnectionProfiles/{ConnectionProfileID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID} +``` + + + + +Unique identifier of a network preference policy. Unique ID is auto-generated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### ConnectionProfiles/{ConnectionProfileID}/Cellular + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Cellular +``` + + + + +Identifiers for cellular networks. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### ConnectionProfiles/{ConnectionProfileID}/Cellular/PLMNID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Cellular/PLMNID +``` + + + + +5- or 6-digit string identifying a cellular network. It consists of the combination of Mobile Country Code (MCC) and Mobile Network Code (MNC). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^[0-9]{5,6}$` | + + + + + + + + + +#### ConnectionProfiles/{ConnectionProfileID}/Priority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/Priority +``` + + + + +Priority of a policy compared to the others where 1 represents the highest priority. Thus, the smaller this value is, the higher preference this specific network will receive in establishing a data connection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-2147483647]` | + + + + + + + + + +#### ConnectionProfiles/{ConnectionProfileID}/WirelessType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/WirelessType +``` + + + + +Type of wireless network (either Cellular or Wi-Fi). 0 represents Cellular, and 1 represents Wi-Fi. Currently only cellular is supported. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bin` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Cellular. | +| 1 | Wi-Fi. | + + + + + + + + + +## IsEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/IsEnabled +``` + + + + +It determines whether the wireless connectivity management policy is enabled or not. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False (Default) | Disable the wireless management policy. | +| True | Enable the wireless management policy. | + + + + + + + + + +## Parameters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters +``` + + + + +Parameters to configure the behavior of the wireless connectivity management service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +### Parameters/CellularParameters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters +``` + + + + +Parameters to configure the cellular-specific behavior of the wireless connectivity management service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +#### Parameters/CellularParameters/MaxRescanIntervalInSeconds + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/MaxRescanIntervalInSeconds +``` + + + + +Maximum time (in seconds) from the point that no connection could be established using the permissible eSIM profiles on the device to the start of the next round of network discovery attempts. A smaller interval increases network discovery frequency and can decrease battery life significantly. A value of 0 means that the device is to pick a reasonable interval per its own discretion. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-360]` | +| Default Value | 0 | + + + + + + + + + +#### Parameters/CellularParameters/NetworkDiscoveryOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/NetworkDiscoveryOption +``` + + + + +Configures which approach should be used in the network discovery process. There are two possible values: (0) no network scan will be performed - rather, registration and connection will be attempted with each eSIM profile in descending order of preference; or (1) Network scan will be performed using the current active eSIM profile. This option works for modems that when performing a network scan show the complete list of available networks independently of which eSIM profile is active. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No network scan will be performed -- rather, registration and connection will be attempted with each eSIM profile in descending order of preference. | +| 1 | Network scan will be performed using the current active eSIM profile. | + + + + + + + + + +#### Parameters/CellularParameters/PreferredProfileWakeConnectionTimerInSeconds + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/PreferredProfileWakeConnectionTimerInSeconds +``` + + + + +When the device is woken from sleep with the most-preferred profile already enabled, this value configures the amount of time (in seconds) before the agent will give up on waiting for connection re-establishment with the most-preferred profile and start network discovery. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Allowed Values | Range: `[30-360]` | +| Default Value | 200 | + + + + + + + + + +#### Parameters/CellularParameters/ProfileRegistrationTimerInSeconds + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/ProfileRegistrationTimerInSeconds +``` + + + + +When evaluating eSIM profiles for connectivity, this value configures the amount of time (in seconds) that the agent will wait for network registration before considering this profile unsatisfactory and moving on to the next one. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Allowed Values | Range: `[30-360]` | +| Default Value | 60 | + + + + + + + + + +#### Parameters/CellularParameters/ScreenOffDurationToTriggerNetworkDiscoveryInMinutes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Parameters/CellularParameters/ScreenOffDurationToTriggerNetworkDiscoveryInMinutes +``` + + + + +When the device experiences screen off and back on, this value configures the minimum duration (in minutes) of the screen off period that will trigger network discovery. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 10 | + + + + + + + + + +## PreferCellularOverWiFi + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/PreferCellularOverWiFi +``` + + + + +It determines the order of preference between Wi-Fi and cellular networks. When the value is set to "False", Wi-Fi is preferred over cellular. When the value is set to "True", cellular is preferred over Wi-Fi. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get, Replace | +| Default Value | False | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| False (Default) | Prefer Wi-Fi over Cellular. | +| True | Prefer Cellular over Wi-Fi. | + + + + + + + + + +## Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Status +``` + + + + +Nodes that indicate the status of the wireless connectivity management service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +### Status/eSIMpolicyStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMpolicyStatus +``` + + + + +An integer indicating the current status of the wireless connectivity management service. If the value is zero, there are no errors. \n\n 0 = No errors. \n 1 = No policies are configured. \n 2 = More than one policy has the same priority. \n 3 = More than one policy references the same PLMNID. \n 4 = Invalid PLMNID for one or more of the configured profiles. \n 5 = More than one eSIM profile stored in the eUICC with the same PLMN ID. \n 6 = Invalid configuration value for one or more of the cellular parameters. Please review CSP documentation. \n\n Warning: Any of these errors will result in a complete halt of the wireless connectivity management service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + + + + + + + +### Status/eSIMprofilesCount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMprofilesCount +``` + + + + +Count of operational eSIM profiles stored in the eUICC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + + + + + + + +### Status/eSIMprofilesMatched + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/Status/eSIMprofilesMatched +``` + + + + +Count of operational eSIM profiles stored on the eUICC whose PLMN matches one of the ConnectionProfileIDs setup under the ConnectionProfiles node. Only matched profiles with no errors will be counted. If more than one eSIM profile with the same PLMN ID is configured on the policy and/or more than one eSIM profile with the same PLMN ID is stored in the eUICC, then they won't be counted even if there is a match. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + + + + + + + + + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md b/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md new file mode 100644 index 0000000000..e23616812e --- /dev/null +++ b/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md @@ -0,0 +1,543 @@ +--- +title: WirelessNetworkPreference DDF file +description: View the XML file containing the device description framework (DDF) for the WirelessNetworkPreference configuration service provider. +ms.date: 04/21/2025 +ms.topic: generated-reference +--- + + + +# WirelessNetworkPreference DDF file + +The following XML file contains the device description framework (DDF) for the WirelessNetworkPreference configuration service provider. + +```xml + +]> + + 1.2 + + + + WirelessNetworkPreference + ./Device/Vendor/MSFT + + + + + Represents information associated with wireless networks prioritization including detailed connectivity priorities for specific cellular networks with a unique PLMN_ID. + + + + + + + + + + + + + + 99.9.99999 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; + + + + IsEnabled + + + + + + False + It determines whether the wireless connectivity management policy is enabled or not. + + + + + + + + + + + + + + + False + Disable the wireless management policy. + + + True + Enable the wireless management policy. + + + + + + PreferCellularOverWiFi + + + + + + False + It determines the order of preference between Wi-Fi and cellular networks. When the value is set to “False”, Wi-Fi is preferred over cellular. When the value is set to “True”, cellular is preferred over Wi-Fi. + + + + + + + + + + + + + + + False + Prefer Wi-Fi over Cellular. + + + True + Prefer Cellular over Wi-Fi. + + + + + + Status + + + + + Nodes that indicate the status of the wireless connectivity management service. + + + + + + + + + + + + + + + eSIMprofilesCount + + + + + Count of operational eSIM profiles stored in the eUICC. + + + + + + + + + + + + + + + + eSIMprofilesMatched + + + + + Count of operational eSIM profiles stored on the eUICC whose PLMN matches one of the ConnectionProfileIDs setup under the ConnectionProfiles node. Only matched profiles with no errors will be counted. If more than one eSIM profile with the same PLMN ID is configured on the policy and/or more than one eSIM profile with the same PLMN ID is stored in the eUICC, then they will not be counted even if there is a match. + + + + + + + + + + + + + + + + eSIMpolicyStatus + + + + + An integer indicating the current status of the wireless connectivity management service. If the value is zero, there are no errors. \n\n 0 = No errors. \n 1 = No policies are configured. \n 2 = More than one policy has the same priority. \n 3 = More than one policy references the same PLMNID. \n 4 = Invalid PLMNID for one or more of the configured profiles. \n 5 = More than one eSIM profile stored in the eUICC with the same PLMN ID. \n 6 = Invalid configuration value for one or more of the cellular parameters. Please review CSP documentation. \n\n Warning: Any of these errors will result in a complete halt of the wireless connectivity management service. + + + + + + + + + + + + + + + + + Parameters + + + + + Parameters to configure the behavior of the wireless connectivity management service. + + + + + + + + + + + + + + + CellularParameters + + + + + Parameters to configure the cellular-specific behavior of the wireless connectivity management service. + + + + + + + + + + + + + + + NetworkDiscoveryOption + + + + + + 0 + Configures which approach should be used in the network discovery process. There are two possible values: (0) no network scan will be performed – rather, registration and connection will be attempted with each eSIM profile in descending order of preference; or (1) Network scan will be performed using the current active eSIM profile. This option works for modems that when performing a network scan show the complete list of available networks independently of which eSIM profile is active. + + + + + + + + + + + + + + + 0 + No network scan will be performed -- rather, registration and connection will be attempted with each eSIM profile in descending order of preference. + + + 1 + Network scan will be performed using the current active eSIM profile. + + + + + + MaxRescanIntervalInSeconds + + + + + + 0 + Maximum time (in seconds) from the point that no connection could be established using the permissible eSIM profiles on the device to the start of the next round of network discovery attempts. A smaller interval increases network discovery frequency and can decrease battery life significantly. A value of 0 means that the device is to pick a reasonable interval per its own discretion. + + + + + + + + + + + + + + [0-360] + + + + + PreferredProfileWakeConnectionTimerInSeconds + + + + + + 200 + When the device is woken from sleep with the most-preferred profile already enabled, this value configures the amount of time (in seconds) before the agent will give up on waiting for connection re-establishment with the most-preferred profile and start network discovery. + + + + + + + + + + + + + + [30-360] + + + + + ProfileRegistrationTimerInSeconds + + + + + + 60 + When evaluating eSIM profiles for connectivity, this value configures the amount of time (in seconds) that the agent will wait for network registration before considering this profile unsatisfactory and moving on to the next one. + + + + + + + + + + + + + + [30-360] + + + + + ScreenOffDurationToTriggerNetworkDiscoveryInMinutes + + + + + + 10 + When the device experiences screen off and back on, this value configures the minimum duration (in minutes) of the screen off period that will trigger network discovery. + + + + + + + + + + + + + + [0-30] + + + + + + + ConnectionProfiles + + + + + Profiles to connect to wireless networks in a specified priority order. + + + + + + + + + + + + + + + + + + + + + + + Unique identifier of a network preference policy. Unique ID is auto-generated. + + + + + + + + + + ConnectionProfileID + + + + + + + + + Priority + + + + + + + + Priority of a policy compared to the others where 1 represents the highest priority. Thus, the smaller this value is, the higher preference this specific network will receive in establishing a data connection. + + + + + + + + + + + + + + [1-2147483647] + + + + + WirelessType + + + + + + + + 0 + Type of wireless network (either Cellular or Wi-Fi). 0 represents Cellular, and 1 represents Wi-Fi. Currently only cellular is supported. + + + + + + + + + + + + + + + 0 + Cellular + + + 1 + Wi-Fi + + + + + + Cellular + + + + + + + Identifiers for cellular networks. + + + + + + + + + + + + + + + PLMNID + + + + + + + + 5- or 6-digit string identifying a cellular network. It consists of the combination of Mobile Country Code (MCC) and Mobile Network Code (MNC). + + + + + + + + + + + + + + ^[0-9]{5,6}$ + + + + + + + + +``` + +## Related articles + +[WirelessNetworkPreference configuration service provider reference](wirelessnetworkpreference-csp.md) From 4e8b0514ed966cef2852ba639a939bf13e5d7dfe Mon Sep 17 00:00:00 2001 From: David Strome <21028455+dstrome@users.noreply.github.com> Date: Mon, 21 Apr 2025 11:45:50 -0700 Subject: [PATCH 15/22] Update StaleBranch cron 0 9 1,15-31 * *, enable workflow_dispatch --- .github/workflows/StaleBranch.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/StaleBranch.yml b/.github/workflows/StaleBranch.yml index 689edaebdc..706487d5b2 100644 --- a/.github/workflows/StaleBranch.yml +++ b/.github/workflows/StaleBranch.yml @@ -2,12 +2,17 @@ name: (Scheduled) Stale branch removal permissions: contents: write - + +# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml. +# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted. +# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted. +# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it. + on: schedule: - - cron: "0 9 1 * *" + - cron: "0 9 1,15-31 * *" - # workflow_dispatch: + workflow_dispatch: jobs: From 64e94a17cd5cf8df798c75cf24dd99b83a597af8 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 21 Apr 2025 12:13:08 -0700 Subject: [PATCH 16/22] Added Feature Update option question and answer --- .../overview/windows-autopatch-faq.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 6213202ab5..b23c1587ec 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.service: windows-client ms.topic: faq - ms.date: 04/11/2025 + ms.date: 04/21/2025 audience: itpro ms.localizationpriority: medium manager: aaroncz @@ -97,6 +97,18 @@ sections: - question: Can I configure when to move to the next ring or is it controlled by Windows Autopatch? answer: | You're in full control over when updates are deployed to their devices. Autopatch groups will recommend a set of intelligent defaults but those are fully customizable so that you can achieve your desired rollout. + - question: What is the expected behavior for turning on the Feature Update option for Autopatch groups? + answer: | + Starting in April 2025, default policies aren't created for new Autopatch customers. Existing customers will continue to receive support until Windows 10 reaches its End-of-Service (EOS). However, these policies won't transition to Windows 11. + + If you created an Autopatch group before April 2025: + - The Feature Update option is unselected by default. + - Selecting the Feature Update option creates a feature update policy for the newly created Autopatch group. This doesn't affect the Global DSS policy. + - The Feature Update option doesn't affect existing releases created before April 2025; these releases remain unchanged + + If you created an Autopatch group after April 2025: + - Selecting the Feature Update option creates a feature update policy and assigns it to all its deployment rings. + - Global DSS policy isn't affected. - name: Hotpatch updates questions: - question: What are the licensing requirements for hotpatch updates? From 8ebe5ce3c883e7462349d0d331ef540dac3e1e86 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Apr 2025 07:15:15 +0200 Subject: [PATCH 17/22] Azure IaaS addition --- .../credential-guard/considerations-known-issues.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 61c3a2f4ad..190871aab0 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -1,5 +1,5 @@ --- -ms.date: 02/25/2025 +ms.date: 04/22/2025 title: Considerations and known issues when using Credential Guard description: Considerations, recommendations, and known issues when using Credential Guard. ms.topic: troubleshooting @@ -112,6 +112,12 @@ When data protected with user DPAPI is unusable, then the user loses access to a **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). +### Azure Virtual Machines lose access to the data protected by Credential Guard after deallocation + +When an Azure Virtual Machine is deallocated, the underlying hardware is released, causing the keys protected by the TPM to become inaccessible. Consequently, any data protected by those keys also becomes inaccessible. + +For more information, see [States and billing status of Azure Virtual Machines](/azure/virtual-machines/states-billing#power-states-and-billing). + ## Known issues Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled. From 926625a693dbc3771b15bfd5f80c853ccbcddd95 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Apr 2025 07:57:56 +0200 Subject: [PATCH 18/22] notes updates --- .../hello-for-business/includes/expiration.md | 8 +++++++- .../hello-for-business/includes/history.md | 6 +++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index 498fe0730d..2d978ef7af 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -17,4 +17,10 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| > [!NOTE] -> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN expiration is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. \ No newline at end of file +>Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> +> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> +> On such devices, PIN expiration is not supported. + + diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 80d06d2b1b..4571c2398b 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -20,4 +20,8 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | > [!NOTE] -> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN history is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment. +>Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> +> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> +> On such devices, PIN history is not supported. From a26298fb56b406c4dc00c60d43dbf466aac69fc1 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 22 Apr 2025 08:10:05 +0200 Subject: [PATCH 19/22] updates --- .../hello-for-business/includes/expiration.md | 4 ++-- .../hello-for-business/includes/history.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index 2d978ef7af..88a546837d 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -17,9 +17,9 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**| > [!NOTE] ->Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). > -> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled. > > On such devices, PIN expiration is not supported. diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 4571c2398b..2b1c3e1f91 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -20,8 +20,8 @@ The default value is 0. | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** | > [!NOTE] ->Starting with Windows 11, version 23H2, devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) isolate credentials using Virtualization-based security (VBS). +> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). > -> Starting with Windows 11, version 24H2, Windows Hello is enhanced to automatically use VBS to isolate credentials on all devices that support and have VBS enabled. +> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled. > > On such devices, PIN history is not supported. From 61c56ab0fb8d84a4cd212559cb9181eeec4ec331 Mon Sep 17 00:00:00 2001 From: windows1011 <109798701+windows1011@users.noreply.github.com> Date: Wed, 23 Apr 2025 19:16:57 +0530 Subject: [PATCH 20/22] Update choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md --- ...e-how-bitlocker-protected-fixed-drives-can-be-recovered.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md index 7b7748c000..b7060d3576 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md @@ -15,6 +15,10 @@ This policy setting allows you to control how BitLocker-protected fixed data dri - **Save BitLocker recovery information to Active Directory Domain Services**: choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select **Backup recovery password only**, only the recovery password is stored in AD DS - **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives**: prevents users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When using this option, a recovery password is automatically generated. +For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. + +For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. + > [!IMPORTANT] > The use of recovery keys must be disallowed if the **Deny write access to fixed drives not protected by BitLocker** policy setting is enabled. From 2de80da258285fabf526996dc66908fcf986fb76 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 23 Apr 2025 09:37:14 -0700 Subject: [PATCH 21/22] rdc-recall-10049089 --- windows/client-management/manage-recall.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md index f8a052962b..50d42807ce 100644 --- a/windows/client-management/manage-recall.md +++ b/windows/client-management/manage-recall.md @@ -3,7 +3,7 @@ title: Manage Recall for Windows clients description: Learn how to manage Recall for commercial environments and about Recall features. ms.topic: how-to ms.subservice: windows-copilot -ms.date: 11/22/2024 +ms.date: 04/23/2025 ms.author: mstewart author: mestew ms.collection: @@ -157,18 +157,14 @@ To filter websites from being saved in snapshots, use the **Set a list of URIs t #### Remote desktop connection clients filtered from snapshots -Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots: +Snapshots won't be saved when supported remote desktop clients are used. The remote desktop connection sessions from the following clients are filtered from snapshots: - [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc) - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect) - - [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list. - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows) - - [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list. - - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows - - [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list. - - + - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) +Note that clients will be saved by Recall unless the client implements screen capture protection, for example [screen capture protection in Azure Virtual desktop](/azure/virtual-desktop/screen-capture-protection). Clients can control how screen capture protection is implemented and may allow some pages to be saved but not the remote session. Customers can always add filters for specific client apps. Check with the provider of your remote client software for details on their screen capture policy. ## Information for developers From 242864e8ff299ccbb78b70c86a948b78f48c56b8 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 23 Apr 2025 10:11:07 -0700 Subject: [PATCH 22/22] rdc-recall-10049089 --- windows/client-management/manage-recall.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md index 50d42807ce..e9dbdf8433 100644 --- a/windows/client-management/manage-recall.md +++ b/windows/client-management/manage-recall.md @@ -164,7 +164,8 @@ Snapshots won't be saved when supported remote desktop clients are used. The rem - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows) - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) -Note that clients will be saved by Recall unless the client implements screen capture protection, for example [screen capture protection in Azure Virtual desktop](/azure/virtual-desktop/screen-capture-protection). Clients can control how screen capture protection is implemented and may allow some pages to be saved but not the remote session. Customers can always add filters for specific client apps. Check with the provider of your remote client software for details on their screen capture policy. +> [!Note] +> Clients will be saved by Recall unless the client implements screen capture protection, for example [screen capture protection in Azure Virtual desktop](/azure/virtual-desktop/screen-capture-protection). Clients can control how screen capture protection is implemented and may allow some pages to be saved but not the remote session. Customers can always add filters for specific client apps. Check with the provider of your remote client software for details on their screen capture policy. ## Information for developers