From a608e58fa568d78845b07f8c32a439e405ac330b Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 30 Mar 2017 12:07:24 -0700 Subject: [PATCH 01/12] proxy page --- .../deploy/upgrade-readiness-data-sharing.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 windows/deploy/upgrade-readiness-data-sharing.md diff --git a/windows/deploy/upgrade-readiness-data-sharing.md b/windows/deploy/upgrade-readiness-data-sharing.md new file mode 100644 index 0000000000..dad2b5a63b --- /dev/null +++ b/windows/deploy/upgrade-readiness-data-sharing.md @@ -0,0 +1,55 @@ +--- +title: Upgrade Readiness data sharing +description: Connectivity scenarios for data sharing with Upgrade Readiness +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Upgrade Readiness data sharing + +To enable data sharing with the Upgrade Readiness solution, the following endpoints must be accessible: + + +| **Endpoint** | **Function** | +|---------------------------------------------------------|-----------| +| `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | +| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. | +| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | + +Whitelist these endpoints on your network. This might require working with your organizations's network security group. + +## Connectivity to the Internet + +There are several different methods your organization can use to connect to the Internet, and these methods can affect how authentication is performed by the deployment script. + +### Direct connection to the Internet + +This scenario is very simple since there is no proxy involved. If you are using a network firewall which is blocking outgoing traffic, please keep in mind that even though we provide DNS names for the endpoints needed to communicate to the Microsoft telemetry backend, We therefore do not recommend to attempt to whitelist endpoints on your firewall based on IP-addresses. + +In order to use the direct connection scenario, set the parameter **ClientProxy=Direct** in **runconfig.bat**. + +### Connection through the WinHTTP proxy + +This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. + +In order to set the WinHTTP proxy system-wide on your computers, you need to +•Use the command netsh winhttp set proxy \:\ +•Set ClientProxy=System in runconfig.bat + +The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. + +If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog + +### Logged-in user’s Internet connection + +In order to accommodate complex proxy scenarios, we also support using the currently logged-in user’s internet connection. This scenario supports PAC scripts, proxy autodetection and authentication. Essentially, if the logged in user can reach the Windows Telemetry endpoints, the telemetry client can send data. If runconfig.bat runs while no user is logged in, telemetry events get written into a buffer which gets flushed when a user logs in. + +In order to enable this scenario, you need: +- A current quality update Rollup for Windows 7, 8.1 or Windows 10 Version 1511. Updates shipped after October 2016 have the needed code +- Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. +- Set ClientProxy=User in bat. + + From 1d029d2e9faee48e830877dc48936ab4d46b702d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 18 Apr 2017 10:35:05 -0700 Subject: [PATCH 02/12] Adding video to waas-overview --- windows/update/waas-overview.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/update/waas-overview.md b/windows/update/waas-overview.md index 0df38fb0e2..466c6d0eb6 100644 --- a/windows/update/waas-overview.md +++ b/windows/update/waas-overview.md @@ -21,6 +21,8 @@ localizationpriority: high The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. + + ## Building Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues. From dcc3d5d7d3fa61d9492eb6d4a1f1d82fef384bb0 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 18 Apr 2017 11:00:26 -0700 Subject: [PATCH 03/12] trying to see how align center looks --- windows/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/update/waas-overview.md b/windows/update/waas-overview.md index 466c6d0eb6..0f6ce95d81 100644 --- a/windows/update/waas-overview.md +++ b/windows/update/waas-overview.md @@ -21,7 +21,7 @@ localizationpriority: high The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - + ## Building From 3b6fc232bddc1a01f429081ff4b9348f39825472 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 18 Apr 2017 11:24:50 -0700 Subject: [PATCH 04/12] remove preview features list (#626) --- ...ows-defender-advanced-threat-protection.md | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md index fb768346fe..07ea7f165f 100644 --- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -29,24 +29,3 @@ Learn about new features in the Windows Defender ATP preview release and be amon You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md). - -## Preview features -The following features are included in the preview release: - -- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) - - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) - - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) - -- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) - - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) - - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) - -- [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. - - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) - -- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization. - ->[!NOTE] -> All response actions require machines to be on the latest Windows 10, version 1703. From 1fbb4298fc6d0e8319ffd5e74269c7a9a98c89ca Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 18 Apr 2017 11:56:55 -0700 Subject: [PATCH 05/12] Trying center align with table --- windows/update/waas-overview.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/update/waas-overview.md b/windows/update/waas-overview.md index 0f6ce95d81..2e0ad9e6f2 100644 --- a/windows/update/waas-overview.md +++ b/windows/update/waas-overview.md @@ -21,7 +21,9 @@ localizationpriority: high The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - +| | +| :---: | +| | ## Building From 83fa16c9a6ed565603b6ca8f340c967324eb4398 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Tue, 18 Apr 2017 13:12:20 -0700 Subject: [PATCH 06/12] updated the group policy section in SetEduPolicies to include additional info from PM --- .../windows/configure-windows-for-education.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 85dfe0c547..897f7df8c4 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -113,7 +113,21 @@ Use one of these methods to set this policy. ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png) ### Group Policy -**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/en-us/library/windows/desktop/mt779129(v=vs.85).aspx). +**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/en-us/library/windows/desktop/mt779129(v=vs.85).aspx). + +For example: + +- Open PowerShell as an administrator and enter the following: + + ``` + $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" + + $sharedPC.SetEduPolicies = $True + + Set-CimInstance -CimInstance $sharedPC + + Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass + ``` ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. From 25a2b1e67f51713047b14511d41bf623531f0b2e Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 18 Apr 2017 13:13:18 -0700 Subject: [PATCH 07/12] added to table --- .../upgrade-readiness-deployment-script.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md index f8d311cd6b..43870037ce 100644 --- a/windows/deploy/upgrade-readiness-deployment-script.md +++ b/windows/deploy/upgrade-readiness-deployment-script.md @@ -264,6 +264,26 @@ or
**HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersio Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult. +44 +Function **Diagtrack.dll** version is old and so Auth Proxy will not work. +Update the computer using Windows Update or WSUS. + +45 +**Diagtrack.dll** not found. +Update the computer using Windows Update or WSUS. + +46 +**DisableEnterpriseAuthProxy** property should be set to 1 for ClientProxy=Telemetry to work. +The ClientProxy=Telemetry scenario requires the **DisableEnterpriseAuthProxy** registry key to be set to 1 at registry path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. + +47 +**TelemetryProxyServer** property is not present in the Windows registry at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. +ClientProxy selected is Telemetry. The **TelemetryProxyServer** key is not present at Windows registry path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. + +48 +The **CommercialID** referenced in RunConfig.bat must be a GUID. +The **CommercialID** that is entered in RunConfig.bat must be a GUID. Copy the commercial ID from your workspace. To find the commercialID on the OMS portal, view Upgrade Readiness > Settings. You will find the commercial ID on the settings page. +
From 109c9c2c8e57c1e15c6106f2060b3dcd6c419a94 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 18 Apr 2017 13:16:54 -0700 Subject: [PATCH 08/12] reverting back to no center alignment --- windows/update/waas-overview.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/update/waas-overview.md b/windows/update/waas-overview.md index 2e0ad9e6f2..0f6ce95d81 100644 --- a/windows/update/waas-overview.md +++ b/windows/update/waas-overview.md @@ -21,9 +21,7 @@ localizationpriority: high The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. -| | -| :---: | -| | + ## Building From 2022e4b0fb36271d26d96c9edd6387e11f9d41ab Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 18 Apr 2017 13:36:32 -0700 Subject: [PATCH 09/12] Changing reference for removed apps in what's new --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 39fdc71f0c..285eefdb36 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -202,7 +202,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1 ### Uninstalled in-box apps no longer automatically reinstall -When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. (Apps de-provisioned by IT administrators will still be reinstalled.) +Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the next feature update installation process. (Apps de-provisioned by IT administrators will still be reinstalled) ## Management From 9e5db828bc0bd8469095b42e6a1867f34c70aacc Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 18 Apr 2017 13:54:38 -0700 Subject: [PATCH 10/12] new connection table added --- windows/deploy/upgrade-readiness-get-started.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md index 7cb98c4cf2..58111403a5 100644 --- a/windows/deploy/upgrade-readiness-get-started.md +++ b/windows/deploy/upgrade-readiness-get-started.md @@ -79,14 +79,23 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. -Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account. - | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| | `https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | | `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. | | `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | +Note: The compatibility update KB runs under the computer’s system account. + +### Connection settings + +The settings that are used to enable client computers to connect to Windows Telemetry depend on the type of connection scenario you use. These scenarios are discussed in [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) and are summarized below. + +| **Connection scenario** | **ClientProxy setting** | **Local computer configuration** | +|---------------------------------------------------------|-----------|-----------| +| Direct connection to the Internet (no proxy) | Set **ClientProxy=Direct** in **runconfig.bat** | No other configuration necessary | +| WinHTTP proxy | Set **ClientProxy=System** in **runconfig.bat** | Specify `netsh winhttp set proxy :` on client computers | +| Other proxy | Set **ClientProxy=User** in **runconfig.bat** | Configure the Windows Registry value **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** to 0 on client computers | ## Deploy the compatibility update and related KBs From 2dc04c2aed788be269a5ff5254ee7bca28e55314 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 18 Apr 2017 14:05:34 -0700 Subject: [PATCH 11/12] edited table slightly --- windows/deploy/upgrade-readiness-get-started.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md index 58111403a5..d9c9b0ca14 100644 --- a/windows/deploy/upgrade-readiness-get-started.md +++ b/windows/deploy/upgrade-readiness-get-started.md @@ -91,11 +91,11 @@ Note: The compatibility update KB runs under the computer’s system account. The settings that are used to enable client computers to connect to Windows Telemetry depend on the type of connection scenario you use. These scenarios are discussed in [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) and are summarized below. -| **Connection scenario** | **ClientProxy setting** | **Local computer configuration** | +| **Connection scenario** | **ClientProxy setting**
in **runconfig.bat** | **Local computer configuration** | |---------------------------------------------------------|-----------|-----------| -| Direct connection to the Internet (no proxy) | Set **ClientProxy=Direct** in **runconfig.bat** | No other configuration necessary | -| WinHTTP proxy | Set **ClientProxy=System** in **runconfig.bat** | Specify `netsh winhttp set proxy :` on client computers | -| Other proxy | Set **ClientProxy=User** in **runconfig.bat** | Configure the Windows Registry value **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** to 0 on client computers | +| Direct connection to the Internet (no proxy) | **ClientProxy=Direct** | No additional configuration necessary | +| WinHTTP proxy | **ClientProxy=System** | Specify `netsh winhttp set proxy :` on client computers | +| Other proxy | **ClientProxy=User** | Configure the Windows Registry value: **HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** to 0 on client computers | ## Deploy the compatibility update and related KBs From 8f42c079194cbe9c3485652fbce47030882529ca Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 18 Apr 2017 14:25:04 -0700 Subject: [PATCH 12/12] reg key --- windows/deploy/upgrade-readiness-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md index d9c9b0ca14..f8dbb049ab 100644 --- a/windows/deploy/upgrade-readiness-get-started.md +++ b/windows/deploy/upgrade-readiness-get-started.md @@ -95,7 +95,7 @@ The settings that are used to enable client computers to connect to Windows Tele |---------------------------------------------------------|-----------|-----------| | Direct connection to the Internet (no proxy) | **ClientProxy=Direct** | No additional configuration necessary | | WinHTTP proxy | **ClientProxy=System** | Specify `netsh winhttp set proxy :` on client computers | -| Other proxy | **ClientProxy=User** | Configure the Windows Registry value: **HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** to 0 on client computers | +| Other proxy | **ClientProxy=User** | Configure the Windows Registry value:

**HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy**

to 0 on client computers | ## Deploy the compatibility update and related KBs