deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into cz-7323865-ie-2302

Browse Source
This commit is contained in:
Aaron Czechowski 2023-02-14 06:19:02 -08:00 committed by GitHub
commit 89409a389b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
80 changed files with 1857 additions and 522 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browsers/edge/docfx.json
View File

@ -28,6 +28,9 @@
],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier3"
],
"breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",

3
browsers/internet-explorer/docfx.json
View File

@ -24,6 +24,9 @@
],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier3"
],
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.topic": "article",

5
education/docfx.json
View File

@ -29,7 +29,10 @@
"globalMetadata": {
"recommendations": true,
"ms.topic": "article",
"ms.collection": "education",
"ms.collection": [
"education",
"tier2"
],
"ms.prod": "windows-client",
"ms.technology": "itpro-edu",
"author": "paolomatarazzo",

1
education/windows/autopilot-reset.md
View File

@ -7,6 +7,7 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---

3
education/windows/change-home-to-edu.md
View File

@ -7,6 +7,9 @@ author: scottbreenmsft
ms.author: scbree
ms.reviewer: paoloma
manager: jeffbu
ms.collection:
- tier3
- education
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---

3
education/windows/change-to-pro-education.md
View File

@ -7,6 +7,7 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---
@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat
### For new devices that are not Azure AD joined
Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition.
#### Step 1: Join users devices to Azure AD
#### Step 1: Join users' devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703.

4
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Azure AD
description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD.
ms.date: 01/17/2023
ms.date: 02/10/2023
ms.topic: how-to
---
@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met:
1. On the *Service provider details* page
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\
- Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\
If using Google auto-provisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes

1
education/windows/edu-stickers.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Configure Stickers for Windows 11 SE

4
education/windows/federated-sign-in.md
View File

@ -5,6 +5,10 @@ ms.date: 01/12/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- tier1
- education
---
<!-- MAXADO-6286399 -->

1
education/windows/get-minecraft-for-education.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Get Minecraft: Education Edition

7
education/windows/school-get-minecraft.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# For IT administrators - get Minecraft: Education Edition
@ -34,7 +35,7 @@ If you turn off this setting after students have been using Minecraft: Education
Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies).
If youve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license).
### <a href="" id="individual-copies"></a>Minecraft: Education Edition - direct purchase
@ -48,7 +49,7 @@ If youve been approved and are part of the Enrollment for Education Solutions
5. Select the quantity of licenses you would like to purchase and select **Place Order**.
6. After youve purchased licenses, youll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).
If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
@ -57,7 +58,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Buy o
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
- Youll receive an email with a link to Microsoft Store for Education.
- You'll receive an email with a link to Microsoft Store for Education.
- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Minecraft: Education Edition payment options

1
education/windows/teacher-get-minecraft.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# For teachers - get Minecraft: Education Edition

1
education/windows/test-windows10s-for-edu.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier2
---
# Test Windows 10 in S mode on existing Windows 10 education devices

1
education/windows/windows-11-se-overview.md
View File

@ -8,6 +8,7 @@ appliesto:
ms.collection:
- highpri
- education
- tier1
---
# Windows 11 SE Overview

3
education/windows/windows-11-se-settings-list.md
View File

@ -5,6 +5,9 @@ ms.topic: article
ms.date: 09/12/2022
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- education
- tier1
---
# Windows 11 SE for Education settings list

3
store-for-business/docfx.json
View File

@ -32,6 +32,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",

3
windows/application-management/docfx.json
View File

@ -35,6 +35,9 @@
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"ms.collection": [
"tier2"
],
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-apps",
"ms.topic": "article",

210
windows/application-management/system-apps-windows-client-os.md
View File

@ -43,314 +43,314 @@ The following information lists the system apps on some Windows Enterprise OS ve
- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- InputApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
---
- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Hello setup UI | Package name: Microsoft.BioEnrollment
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.CredDialogHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.ECApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.LockApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft Edge | Package name: Microsoft.MicrosoftEdge
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.MicrosoftEdgeDevToolsClient
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.PPIProjection
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
---
- Microsoft.Win32WebViewHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.Apprep.ChxApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.AssignedAccessLockApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.CapturePicker
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.CloudExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.ContentDeliveryManager
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Cortana | Package name: Microsoft.Windows.Cortana
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | | | ✔️ |
---
- Microsoft.Windows.OOBENetworkCaptivePort
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.OOBENetworkConnectionFlow
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.ParentalControls
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.PinningConfirmationDialog
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.SecHealthUI
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.SecureAssessmentBrowser
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Start | Package name: Microsoft.Windows.ShellExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.XboxGameCallableUI
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Windows.CBSPreview
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Settings | Package name: Windows.immersivecontrolpanel
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---
- Print 3D | Package name: Windows.Print3D
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ✔️ | | | ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ✔️ | ✔️ | | | ✔️ |
---
- Print UI | Package name: Windows.PrintDialog
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
| Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 |
| --- | --- | --- | --- | --- | --- |
| | ❌ | ❌ | ✔️ | ✔️| ✔️ |
---

3
windows/client-management/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-manage",

4
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -4538,7 +4538,7 @@ The first several links will also be pinned to the Start menu. A total of four l
<!-- TryHarderPinnedOpenSearch-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, <https://www.example.com/results.aspx?q=>{searchTerms}).
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`).
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

34
windows/client-management/mdm/policy-csp-audit.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -343,7 +343,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditGroupMembership-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event.
<!-- AccountLogonLogoff_AuditGroupMembership-Description-End -->
<!-- AccountLogonLogoff_AuditGroupMembership-Editable-Begin -->
@ -836,7 +836,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (<https://go.microsoft.com/fwlink/?LinkId=121697)>.
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](<https://go.microsoft.com/fwlink/?LinkId=121697>).
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
<!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->
@ -1083,7 +1083,7 @@ Volume: Low.
<!-- AccountManagement_AuditDistributionGroupManagement-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a distribution group changes
- If you do not configure this policy setting, no audit event is generated when a distribution group changes.
> [!NOTE]
> Events in this subcategory are logged only on domain controllers.
@ -1120,7 +1120,7 @@ Volume: Low.
| Name | Value |
|:--|:--|
| Name | Audit Distributio Group Management |
| Name | Audit Distribution Group Management |
| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management |
<!-- AccountManagement_AuditDistributionGroupManagement-GpMapping-End -->
@ -1332,7 +1332,7 @@ Volume: Low.
<!-- DetailedTracking_AuditDPAPIActivity-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see <https://go.microsoft.com/fwlink/?LinkId=121720>. If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
<!-- DetailedTracking_AuditDPAPIActivity-Description-End -->
@ -1825,7 +1825,7 @@ Volume: High on domain controllers. None on client computers.
<!-- DSAccess_AuditDirectoryServiceChanges-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.
> [!NOTE]
> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded.
@ -2135,7 +2135,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services
<!-- ObjectAccess_AuditDetailedFileShare-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE]
> There are no system access control lists (SACLs) for shared folders.
@ -2201,7 +2201,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileShare-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder.
- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures
- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE]
> There are no system access control lists (SACLs) for shared folders.
@ -2267,7 +2267,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileSystem-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see <https//go.microsoft.com/fwlink/?LinkId=122083>. If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
> [!NOTE]
> You can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
@ -2455,7 +2455,7 @@ Volume: High.
<!-- ObjectAccess_AuditHandleManipulation-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a handle is manipulated
- If you do not configure this policy setting, no audit event is generated when a handle is manipulated.
> [!NOTE]
> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated.
@ -2519,7 +2519,7 @@ Volume: Depends on how SACLs are configured.
<!-- ObjectAccess_AuditKernelObject-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.
> [!NOTE]
> The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects.
@ -2645,7 +2645,7 @@ Volume: Low.
<!-- ObjectAccess_AuditRegistry-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL
- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
> [!NOTE]
> You can set a SACL on a registry object using the Permissions dialog box.
@ -2771,10 +2771,10 @@ This policy setting allows you to audit user attempts to access file system obje
<!-- ObjectAccess_AuditSAM-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!NOTE]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (<https//go.microsoft.com/fwlink/?LinkId=121698)>.
> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
<!-- ObjectAccess_AuditSAM-Description-End -->
<!-- ObjectAccess_AuditSAM-Editable-Begin -->
@ -2836,7 +2836,7 @@ Volume: High on domain controllers. For more information about reducing the numb
<!-- PolicyChange_AuditAuthenticationPolicyChange-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed
- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed.
> [!NOTE]
> The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified.
@ -3147,7 +3147,7 @@ Volume: Low.
<!-- PolicyChange_AuditPolicyChange-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list
This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list.
> [!NOTE]
> System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change.

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -3248,7 +3248,7 @@ Related Documents:
- [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
- [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy)
- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy)
- [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
<!-- PreventTurningOffRequiredExtensions-Editable-End -->

8
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/10/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1164,7 +1164,7 @@ This setting applies to scheduled scans, but it has no effect on scans initiated
<!-- CloudBlockLevel-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site
This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus).
> [!NOTE]
> This feature requires the Join Microsoft MAPS setting enabled in order to function.
@ -1232,7 +1232,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
<!-- CloudExtendedTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds
This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!NOTE]
> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required.
@ -1980,7 +1980,7 @@ Allows an administrator to specify a list of directory paths to ignore during a
<!-- ExcludedProcesses-Description-Begin -->
<!-- Description-Source-DDF -->
Allows an administrator to specify a list of files opened by processes to ignore during a scan
Allows an administrator to specify a list of files opened by processes to ignore during a scan.
> [!IMPORTANT]
> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe.

2
windows/client-management/mdm/uefi-csp.md
View File

@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa
> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
> [!NOTE]
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
The following shows the UEFI CSP in tree format.
```

3
windows/configuration/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "itpro-configure",

25
windows/deployment/TOC.yml
View File

@ -65,6 +65,8 @@
href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Deprecated features
href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Resources for deprecated features
href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Removed features
href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
- name: Prepare
@ -164,19 +166,30 @@
href: update/waas-configure-wufb.md
- name: Use Windows Update for Business and WSUS
href: update/wufb-wsus.md
- name: Windows Update for Business deployment service
href: update/deployment-service-overview.md
items:
- name: Troubleshoot the Windows Update for Business deployment service
href: update/deployment-service-troubleshoot.md
- name: Enforcing compliance deadlines for updates
href: update/wufb-compliancedeadlines.md
- name: Integrate Windows Update for Business with management solutions
href: update/waas-integrate-wufb.md
- name: 'Walkthrough: use Group Policy to configure Windows Update for Business'
href: update/waas-wufb-group-policy.md
- name: 'Walkthrough: use Intune to configure Windows Update for Business'
- name: 'Walkupdatesthrough: use Intune to configure Windows Update for Business'
href: update/deploy-updates-intune.md
- name: Windows Update for Business deployment service
items:
- name: Windows Update for Business deployment service overview
href: update/deployment-service-overview.md
- name: Prerequisites for Windows Update for Business deployment service
href: update/deployment-service-prerequisites.md
- name: Deploy updates with the deployment service
items:
- name: Deploy feature updates using Graph Explorer
href: update/deployment-service-feature-updates.md
- name: Deploy expedited updates using Graph Explorer
href: update/deployment-service-expedited-updates.md
- name: Deploy driver and firmware updates using Graph Explorer
href: update/deployment-service-drivers.md
- name: Troubleshoot Windows Update for Business deployment service
href: update/deployment-service-troubleshoot.md
- name: Monitor
items:
- name: Windows Update for Business reports

2
windows/deployment/do/TOC.yml
View File

@ -55,7 +55,7 @@
items:
- name: Frequently Asked Questions
href: mcc-isp-faq.yml
- name: Enhancing VM performance
- name: Enhancing cache performance
href: mcc-isp-vm-performance.md
- name: Support and troubleshooting
href: mcc-isp-support.md

BIN
windows/deployment/do/images/mcc-isp-create-resource-fields.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
windows/deployment/do/images/mcc-isp-create-resource-validated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 171 KiB

26
windows/deployment/do/mcc-enterprise-appendix.md
View File

@ -12,7 +12,7 @@ ms.technology: itpro-updates
# Appendix
## Steps to obtain an Azure Subscription ID
## Steps to obtain an Azure subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco
- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription).
- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
## Installing on VMWare
## Hardware specifications
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made:
Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache.
### Installing on VMware
We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made:
1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
### Installing on Hyper-V
To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization).
## Diagnostics Script
@ -65,17 +73,17 @@ communication operations. The runtime performs several functions:
For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
## Routing local Windows Clients to an MCC
## Routing local Windows clients to an MCC
### Get the IP address of your MCC using ifconfig
There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
#### Registry Key
#### Registry key
You can either set your MCC IP address or FQDN using:
1. Registry Key (version 1709 and later):
1. Registry key (version 1709 and later):
`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
</br>
"DOCacheHost"=" "
@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
```
1. MDM Path (version 1809 and later):
1. MDM path (version 1809 and later):
`.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using:
:::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
**Verify Content using the DO Client**
## Verify content using the DO client
To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:

19
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -31,18 +31,18 @@ To deploy MCC to your server:
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
### Provide Microsoft with the Azure Subscription ID
### Provide Microsoft with the Azure subscription ID
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
> [!IMPORTANT]
> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
### Create the MCC resource in Azure
The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes.
Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below.
@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
:::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
## Verify proper functioning MCC server
#### Verify Client Side
#### Verify client side
Connect to the EFLOW VM and check if MCC is properly running:
@ -305,21 +305,16 @@ sudo iotedge list
:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command:
If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command:
```bash
sudo journalctl -u iotedge -f
```
For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start.
This command will provide the current status of the starting, stopping of a container, or the container pull and start.
:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
Use this command to check the IoT Edge Journal
```bash
sudo journalctl -u iotedge -f
```
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.

6
windows/deployment/do/mcc-enterprise-prerequisites.md
View File

@ -24,13 +24,12 @@ ms.technology: itpro-updates
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
> [!NOTE]
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
**EFLOW Requires Hyper-V support**
**EFLOW requires Hyper-V support**
- On Windows client, enable the Hyper-V feature
- On Windows Server, install the Hyper-V role and create a default network switch
@ -44,6 +43,7 @@ ms.technology: itpro-updates
VM networking:
- An external virtual switch to support outbound and inbound network communication (created during the installation process)
1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints.
## Sizing recommendations

16
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -10,7 +10,7 @@ ms.date: 12/31/2017
ms.technology: itpro-updates
---
# Create, Configure, provision, and deploy the cache node in Azure portal
# Create, configure, provision, and deploy the cache node in Azure portal
**Applies to**
@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi
1. Enter the max allowable egress that your hardware can support.
1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes.
**Note:** Up to nine cache drives are supported.
1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes.
**Note:** This is a **required** field. Up to nine cache drive folders are supported.
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t
1. Copy and paste the script command line shown in the Azure portal.
1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
> [!NOTE]
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
> The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
### General configuration fields
@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t
### Storage fields
> [!IMPORTANT]
> All cache drives must have read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive`
> All cache drives must have full read/write permissions set or the cache node will not function.
> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder`
| Field Name | Expected Value| Description |
|---|---|---|
| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. |
| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.|
| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
### Client routing fields

10
windows/deployment/do/mcc-isp-faq.yml
View File

@ -69,8 +69,6 @@ sections:
answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
- question: What CDNs will Microsoft Connected Cache pull content from?
answer: |
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
@ -82,3 +80,11 @@ sections:
$ whois 13.107.4.50|grep "Organization:"
Organization: Microsoft Corporation (MSFT)
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic?
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview.
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).

65
windows/deployment/do/mcc-isp-signup.md
View File

@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for
## Prerequisites
Before you begin sign up, ensure you have the following components:
- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/).
- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS.
1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/).
1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email.
1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace.":::
:::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png":::
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource.
1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node.
:::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png":::
> [!IMPORTANT]
> After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information.
After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**.
:::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png":::
1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**.
:::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png":::
1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for.
:::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png":::
@ -50,6 +66,9 @@ Before you begin sign up, ensure you have the following components:
:::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
> [!NOTE]
> **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Heres your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**.
1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
<!--## Traffic estimation
@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components:
During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal.
We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). -->
### Cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
### Virtual machines
Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance.

30
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -16,6 +16,28 @@ ms.technology: itpro-updates
This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes.
## Verify cache node installation is complete
Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers):
```bash
sudo iotedge list
```
:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png":::
If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command:
```bash
sudo iotedge system logs -- -f
```
For example, this command provides the current status of the starting and stopping of a container, or the container pull and start:
:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png":::
You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching.
## Verify functionality on Azure portal
Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue.
@ -48,6 +70,14 @@ http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup
If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article.
## Verify BGP routing configuration
To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for.
Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising.
If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly.
## Monitor cache node health and performance
Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance.

40
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -1,5 +1,5 @@
---
title: Enhancing VM performance
title: Enhancing cache performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
ms.prod: windows-client
@ -10,11 +10,41 @@ ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Enhancing virtual machine performance
# Enhancing cache performance
To make sure you're maximizing the performance of your cache node, review the following information:
#### OS requirements
The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
#### NIC requirements
- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
#### Drive performance
The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance.
RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
### Hardware configuration example
There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
**Dell PowerEdge R330**
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
## Enhancing virtual machine performance
In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings.
## Virtual machine settings
### Virtual machine settings
Change the following settings to maximize the egress in virtual environments:
@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments:
Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment.
## Next steps
[Support and troubleshooting](mcc-isp-support.md)

19
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -1,13 +1,12 @@
---
title: Microsoft Connected Cache overview
manager: dougeby
manager: aaroncz
description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
ms.prod: windows-client
author: carmenf
ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.technology: itpro-updates
ms.date: 12/31/2017
---
@ -20,13 +19,21 @@ ms.date: 12/31/2017
- Windows 11
> [!IMPORTANT]
> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal.
## Microsoft Connected Cache for ISPs (preview)
Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing.
## Microsoft Connected Cache for Enterprise and Education (early preview)
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. Its built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.
Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
## IoT Edge
Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
1. Installs and updates MCC on your edge device.
1. Maintains Azure IoT Edge security standards on your edge device.
@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions:
:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
## Next steps
- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md)

3
windows/deployment/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "GitHub",

332
windows/deployment/update/deployment-service-drivers.md Normal file
View File

@ -0,0 +1,332 @@
---
title: Deploy drivers and firmware updates with Windows Update for Business deployment service.
description: Use Windows Update for Business deployment service to deploy driver and firmware updates.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
---
# Deploy drivers and firmware updates with Windows Update for Business deployment service
<!--7260403, 7512398-->
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a driver update to clients. In this article, you will:
> [!div class="checklist"]
>
> - [Open Graph Explorer](#open-graph-explorer)
> - [Run queries to identify devices](#run-queries-to-identify-devices)
> - [Enroll devices](#enroll-devices)
> - [Create a deployment audience and add audience members](#create-a-deployment-audience-and-add-audience-members)
> - [Create an update policy](#create-an-update-policy)
> - [Review applicable driver content](#review-applicable-driver-content)
> - [Approve driver content for deployment](#approve-driver-content-for-deployment)
> - [Revoke content approval](#revoke-content-approval)
> - [Unenroll devices](#unenroll-devices)
## Prerequisites
All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met.
### Permissions
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->
[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)]
## Run queries to identify devices
<!--Using include for Graph Explorer device queries-->
[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)]
## Enroll devices
When you enroll devices into driver management, the deployment service becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals.
<!--Using include for enrolling devices using Graph Explorer-->
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)]
## Create a deployment audience and add audience members
<!--Using include for creating deployment audiences and adding audience members using Graph Explorer-->
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-audience-graph-explorer.md)]
Once a device has been enrolled and added to a deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment.
## Create an update policy
Update policies define how content is deployed to a deployment audience. An [update policy](/graph/api/resources/windowsupdates-updatepolicy) ensures deployments to a deployment audience behave in a consistent manner without having to create and manage multiple individual deployments. When a content approval is added to the policy, it's deployed to the devices in the associated audiences. The deployment and monitoring settings are optional.
> [!IMPORTANT]
> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for a [content approval](#approve-driver-content-for-deployment) will be combined with the existing update policy's deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used.
### Create a policy and define the settings later
To create a policy without any deployment settings, in the request body specify the **Audience ID** as `id`. In the following example, the **Audience ID** is `d39ad1ce-0123-4567-89ab-cdef01234567`, and the `id` given in the response is the **Policy ID**:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies
content-type: application/json
{
"audience": {
"@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567"
}
}
```
Response returning the policy, without any additional settings specified, that has a **Policy ID** of `9011c330-1234-5678-9abc-def012345678`:
```json
HTTP/1.1 202 Accepted
content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/updatePolicies/$entity",
"id": "9011c330-1234-5678-9abc-def012345678",
"createdDateTime": "2023-01-25T05:32:21.9721459Z",
"autoEnrollmentUpdateCategories": [],
"complianceChangeRules": [],
"deploymentSettings": {
"schedule": null,
"monitoring": null,
"contentApplicability": null,
"userExperience": null,
"expedite": null
}
}
```
### Specify settings during policy creation
To create a policy with additional settings, in the request body:
- Specify the **Audience ID** as `id`
- Define any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings).
- Add the `content-length` header to the request if a status code of 411 occurs. The value should be the length of the request body in bytes. For information on error codes, see [Microsoft Graph error responses and resource types](/graph/errors).
In the following driver update policy example, any deployments created by a content approval will start 7 days after approval for **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567`:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy",
"audience": {
"@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567"
},
"complianceChanges": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApproval"
}
],
"complianceChangeRules": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule",
"contentFilter": {
"@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter"
},
"durationBeforeDeploymentStart": "P7D"
}
]
}
```
### Review and edit update policy settings
To review the policy settings, run the following query using the **Policy ID**, for example `9011c330-1234-5678-9abc-def012345678`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678
```
To edit the policy settings, **PATCH** the policy using the **Policy ID**. Run the following **PATCH** to automatically approve driver content that's recommended by `Microsoft`for deployment for **Policy ID** `9011c330-1234-5678-9abc-def012345678`:
``` msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678
content-type: application/json
{
"complianceChangeRules": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApprovalRule",
"contentFilter": {
"@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateFilter"
}
}
],
"deploymentSettings": {
"@odata.type": "#microsoft.graph.windowsUpdates.deploymentSettings",
"contentApplicability": {
"@odata.type": "#microsoft.graph.windowsUpdates.contentApplicabilitySettings",
"offerWhileRecommendedBy": ["microsoft"]
}
}
}
```
## Review applicable driver content
Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information:
- An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry)
- The **Azure AD ID** of the devices it's applicable to
- Information describing the update such as the name and version.
To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/applicableContent
```
The following truncated response displays:
- An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef`
- The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`
```json
"matchedDevices": [
{
"recommendedBy": [
"Microsoft"
],
"deviceId": "01ea3c90-12f5-4093-a4c9-c1434657c976"
}
],
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry",
"id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c",
"displayName": "Microsoft - Test - 1.0.0.1",
"deployableUntilDateTime": null,
"releaseDateTime": "0001-01-21T04:18:32Z",
"description": "Microsoft test driver update released in January 2021",
"driverClass": "OtherHardware",
"provider": "Microsoft",
"setupInformationFile": null,
"manufacturer": "Microsoft",
"version": "1.0.0.1",
"versionDateTime": "2021-01-11T02:43:14Z"
```
## Approve driver content for deployment
Each driver update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). Approve content for drivers and firmware by adding a [content approval](/graph/api/resources/windowsupdates-contentapproval) for the catalog entry to an existing policy. Content approval is a [compliance change](/graph/api/resources/windowsupdates-compliance) for the policy.
> [!IMPORTANT]
> Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for the content approval will be combined with the existing [update policy's](#create-an-update-policy) deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used.
Add a content approval to an existing policy, **Policy ID** `9011c330-1234-5678-9abc-def012345678` for the driver update with the **Catalog ID** `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`. Schedule the start date for February 14, 2023 at 1 AM UTC:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApproval",
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry",
"id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c"
}
},
"deploymentSettings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"schedule": {
"startDateTime": "2023-02-14T01:00:00Z"
}
}
}
```
The response for a content approval returns content and deployment settings along with an `id`, which is the **Compliance Change ID**. The **Compliance Change ID** is `c03911a7-9876-5432-10ab-cdef98765432` in the following truncated response:
```json
"@odata.type": "#microsoft.graph.windowsUpdates.contentApproval",
"id": "c03911a7-9876-5432-10ab-cdef98765432",
"createdDateTime": "2023-02-02T17:54:39.173292Z",
"isRevoked": false,
"revokedDateTime": "0001-01-01T00:00:00Z",
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.driverUpdateCatalogEntry",
"id": "5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c"
}
},
"deploymentSettings": {
"schedule": {
"startDateTime": "2023-02-14T01:00:00Z",
```
Review all of the compliance changes to a policy with the most recent changes listed in the response first. The following example returns the compliance changes for a policy with the **Policy ID** `9011c330-1234-5678-9abc-def012345678` and sorts by `createdDateTime` in descending order:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges?orderby=createdDateTime desc
```
> [!TIP]
> There should only be one **Compliance Change ID** per **Catalog ID** for a policy. If there are multiple **Compliance Change IDs** for the same **Catalog ID** then, most likely, there's multiple deployments for the same piece of content targeted to the same audience but with different deployment behaviors. To remove the duplicate, [delete the compliance change](/graph/api/resources/windowsupdates-compliancechange-delete) with the duplicate **Catalog ID**. Deleting the compliance change will mark any deployments created by the approval as `archived`.
To retrieve the deployment ID, use the [expand parameter](/graph/query-parameters#expand-parameter) to review the deployment information related the content approval. The following example displays the content approval and the deployment information for **Compliance Change ID** `c03911a7-9876-5432-10ab-cdef98765432` in update **Policy ID** `9011c330-1234-5678-9abc-def012345678`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432/$/microsoft.graph.windowsUpdates.contentApproval?$expand=deployments
```
### Edit deployment settings for a content approval
Since content approval is a compliance change for the policy, when you [update a content approval](/graph/api/resources/windowsupdates--contentapproval-update), you're editing the compliance change for the policy. The following example changes the `startDateTime` for the **Compliance Change ID** of `c03911a7-9876-5432-10ab-cdef98765432` in the update **Policy ID** `9011c330-1234-5678-9abc-def012345678` to February 28, 2023 at 5 AM UTC:
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApproval",
"deploymentSettings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"schedule": {
"startDateTime": "2023-02-28T05:00:00Z"
}
}
}
```
## Revoke content approval
Approval for content can be revoked by setting the `isRevoked` property of the [compliance change](/graph/api/resources/windowsupdates-compliance) to true. This setting can be changed while a deployment is in progress. However, revoking will only prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new [approval](#approve-driver-content-for-deployment) will need to be created.
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/9011c330-1234-5678-9abc-def012345678/complianceChanges/c03911a7-9876-5432-10ab-cdef98765432
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.contentApproval",
"isRevoked": true
}
```
To display all deployments with the most recently created returned first, order deployments based on the `createdDateTime`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=createdDateTime desc
```
## Unenroll devices
<!--Using include for removing device enrollment-->
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)]

196
windows/deployment/update/deployment-service-expedited-updates.md Normal file
View File

@ -0,0 +1,196 @@
---
title: Deploy expedited updates with Windows Update for Business deployment service
description: Use Windows Update for Business deployment service to deploy expedited updates.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
---
# Deploy expedited updates with Windows Update for Business deployment service
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
In this article, you will:
> [!div class="checklist"]
>
> * [Open Graph Explorer](#open-graph-explorer)
> * [Run queries to identify test devices](#run-queries-to-identify-devices)
> * [List catalog entries for expedited updates](#list-catalog-entries-for-expedited-updates)
> * [Create a deployment](#create-a-deployment)
> * [Add members to the deployment audience](#add-members-to-the-deployment-audience)
> * [Delete a deployment](#delete-a-deployment)
## Prerequisites
All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met.
### Permissions
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->
[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)]
## Run queries to identify devices
<!--Using include for Graph Explorer device queries-->
[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)]
## List catalog entries for expedited updates
Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security updates that can be deployed as expedited updates by the deployment service. Using `$top=3` and ordering by `ReleaseDateTimeshows` displays the three most recent updates.
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=3
```
The following truncated response displays a **Catalog ID** of `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432` for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update:
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries",
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
"displayName": "01/10/2023 - 2023.01 B Security Updates for Windows 10 and later",
"deployableUntilDateTime": null,
"releaseDateTime": "2023-01-10T00:00:00Z",
"isExpeditable": true,
"qualityUpdateClassification": "security"
},
...
]
}
```
## Create a deployment
When creating a deployment, there are [multiple options](/graph/api/resources/windowsupdates-deploymentsettings) available to define how the deployment behaves. The following example creates a deployment for the `01/10/2023 - 2023.01 B Security Updates for Windows 10 and later` security update with catalog entry ID `693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432`, and defines the `expedite` and `userExperience` deployment options in the request body.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432"
}
},
"settings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"expedite": {
"isExpedited": true
},
"userExperience": {
"daysUntilForcedReboot": 2
}
}
}
```
The request returns a 201 Created response code and a [deployment](/graph/api/resources/windowsupdates-deployment) object in the response body for the newly created deployment, which includes:
- The **Deployment ID** `de910e12-3456-7890-abcd-ef1234567890` of the newly created deployment.
- The **Audience ID** `d39ad1ce-0123-4567-89ab-cdef01234567` of the newly created deployment audience.
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity",
"id": "de910e12-3456-7890-abcd-ef1234567890",
"createdDateTime": "2023-02-09T22:55:04.8547517Z",
"lastModifiedDateTime": "2023-02-09T22:55:04.8547524Z",
"state": {
"effectiveValue": "offering",
"requestedValue": "none",
"reasons": []
},
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry",
"id": "693fafea03c24cca819b3a15123a8880f217b96a878b6d6a61be021d476cc432",
"displayName": null,
"deployableUntilDateTime": null,
"releaseDateTime": "2023-01-10T00:00:00Z",
"isExpeditable": false,
"qualityUpdateClassification": "security"
}
},
"settings": {
"schedule": null,
"monitoring": null,
"contentApplicability": null,
"userExperience": {
"daysUntilForcedReboot": 2
},
"expedite": {
"isExpedited": true
}
},
"audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity",
"audience": {
"id": "d39ad1ce-0123-4567-89ab-cdef01234567",
"applicableContent": []
}
}
```
## Add members to the deployment audience
The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
The following example adds two devices to the deployment audience using the **Azure AD ID** for each device:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
content-type: application/json
{
"addMembers": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcdef"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde0"
}
]
}
```
To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members
```
## Delete a deployment
To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created.
The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
```msgraph-interactive
DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
```
<!--Using include for Update Health Tools log location-->
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]

292
windows/deployment/update/deployment-service-feature-updates.md Normal file
View File

@ -0,0 +1,292 @@
---
title: Deploy feature updates with Windows Update for Business deployment service.
description: Use Windows Update for Business deployment service to deploy feature updates.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
---
# Deploy feature updates with Windows Update for Business deployment service
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a feature update to clients. In this article, you will:
In this article, you will:
> [!div class="checklist"]
> * [Open Graph Explorer](#open-graph-explorer)
> * [Run queries to identify devices](#run-queries-to-identify-devices)
> * [Enroll devices](#enroll-devices)
> * [List catalog entries for feature updates](#list-catalog-entries-for-feature-updates)
> * [Create a deployment](#create-a-deployment)
> * [Add members to the deployment audience](#add-members-to-the-deployment-audience)
> * [Pause a deployment](#pause-a-deployment)
> * [Delete a deployment](#delete-a-deployment)
> * [Unenroll devices](#unenroll-devices)
## Prerequisites
All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met.
### Permissions
<!--Using include for Graph Explorer permissions-->
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)]
## Open Graph Explorer
<!--Using include for Graph Explorer sign in-->
[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)]
## Run queries to identify devices
<!--Using include for Graph Explorer device queries-->
[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)]
## Enroll devices
When you enroll devices into feature update management, the deployment service becomes the authority for feature updates coming from Windows Update.
As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version.
> [!TIP]
> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
<!--Using include for enrolling devices using Graph Explorer-->
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)]
## List catalog entries for feature updates
Each feature update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). The `id` returned is the **Catalog ID** and is used to create a deployment. Feature updates are deployable until they reach their support retirement dates. For more information, see the support lifecycle dates for [Windows 10](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11](/lifecycle/products/windows-11-enterprise-and-education) Enterprise and Education editions. The following query lists all deployable feature update catalog entries:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.featureUpdateCatalogEntry')
```
The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f` for the Windows 11, version 22H2 feature update:
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/catalog/entries",
"value": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry",
"id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f",
"displayName": "Windows 11, version 22H2",
"deployableUntilDateTime": "2025-10-14T00:00:00Z",
"releaseDateTime": "2022-09-20T00:00:00Z",
"version": "Windows 11, version 22H2"
}
]
}
```
## Create a deployment
When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`):
- Deployment [start date](/graph/api/resources/windowsupdates-schedulesettings) of February 14, 2023 at 5 AM UTC
- [Gradual rollout](/graph/api/resources/windowsupdates-gradualrolloutsettings) at a rate of 100 devices every three days
- [Monitoring rule](/graph/api/resources/windowsupdates-monitoringrule) that will pause the deployment if five devices rollback the feature update
- Default [safeguard hold](/graph/api/resources/windowsupdates-safeguardprofile) behavior of applying all applicable safeguards to devices in a deployment
- When safeguard holds aren't explicitly defined, the default safeguard hold behavior is applied automatically
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deployments
content-type: application/json
{
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry",
"id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f"
}
},
"settings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"schedule": {
"startDateTime": "2023-02-14T05:00:00Z",
"gradualRollout": {
"@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings",
"durationBetweenOffers": "P3D",
"devicesPerOffer": "100"
}
},
"monitoring": {
"monitoringRules": [
{
"signal": "rollback",
"threshold": 5,
"action": "pauseDeployment"
}
]
}
}
}
```
The response body will contain:
- The new **Deployment ID**, `de910e12-3456-7890-abcd-ef1234567890` in the example
- The new **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567` in the example
- Any settings defined in the deployment request body
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments/$entity",
"id": "de910e12-3456-7890-abcd-ef1234567890",
"createdDateTime": "2023-02-07T19:21:15.425905Z",
"lastModifiedDateTime": "2023-02-07T19:21:15Z",
"state": {
"effectiveValue": "scheduled",
"requestedValue": "none",
"reasons": []
},
"content": {
"@odata.type": "#microsoft.graph.windowsUpdates.catalogContent",
"catalogEntry@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/content/microsoft.graph.windowsUpdates.catalogContent/catalogEntry/$entity",
"catalogEntry": {
"@odata.type": "#microsoft.graph.windowsUpdates.featureUpdateCatalogEntry",
"id": "d9049ddb-0ca8-4bc1-bd3c-41a456ef300f",
"displayName": "Windows 11, version 22H2",
"deployableUntilDateTime": "2025-10-14T00:00:00Z",
"releaseDateTime": "0001-01-01T00:00:00Z",
"version": "Windows 11, version 22H2"
}
},
"settings": {
"contentApplicability": null,
"userExperience": null,
"expedite": null,
"schedule": {
"startDateTime": "2023-02-14T05:00:00Z",
"gradualRollout": {
"@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings",
"durationBetweenOffers": "P3D",
"devicesPerOffer": 100
}
},
"monitoring": {
"monitoringRules": [
{
"signal": "rollback",
"threshold": 5,
"action": "pauseDeployment"
}
]
}
},
"audience@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deployments('de910e12-3456-7890-abcd-ef1234567890')/audience/$entity",
"audience": {
"id": "d39ad1ce-0123-4567-89ab-cdef01234567",
"applicableContent": []
}
}
```
### Edit a deployment
To [update deployment](/graph/api/windowsupdates-deployment-update), PATCH the deployment resource by its **Deployment ID** and supply the updated settings in the request body. The following example keeps the existing gradual rollout settings that were defined when creating the deployment but changes the deployment start date to February 28, 2023 at 5 AM UTC:
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
content-type: application/json
{
"settings": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentSettings",
"schedule": {
"startDateTime": "2023-02-28T05:00:00Z",
"gradualRollout": {
"@odata.type": "#microsoft.graph.windowsUpdates.rateDrivenRolloutSettings",
"durationBetweenOffers": "P3D",
"devicesPerOffer": "100"
}
}
}
}
```
Verify the deployment settings for the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
```
## Add members to the deployment audience
The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered.
The following example adds three devices to the deployment audience using the **Azure AD ID** for each device:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
content-type: application/json
{
"addMembers": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcdef"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde0"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde1"
}
]
}
```
To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members
```
## Pause a deployment
To pause a deployment, PATCH the deployment to have a `requestedValue` of `paused` for the [deploymentState](/graph/api/resources/windowsupdates-deploymentstate). To resume the deployment, use the value `none` and the state will either update to `offering` or `scheduled` if the deployment hasn't reached the start date yet.
The following example pauses the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
```msgraph-interactive
PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
content-type: application/json
{
"@odata.type": "#microsoft.graph.windowsUpdates.deployment",
"state": {
"@odata.type": "microsoft.graph.windowsUpdates.deploymentState",
"requestedValue": "paused"
}
}
```
## Delete a deployment
To remove the deployment completely, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created.
The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`:
```msgraph-interactive
DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890
```
## Unenroll devices
<!--Using include for removing device enrollment-->
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)]

170
windows/deployment/update/deployment-service-overview.md
View File

@ -6,98 +6,67 @@ author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.topic: overview
ms.technology: itpro-updates
ms.date: 12/31/2017
---
# Windows Update for Business deployment service
**Applies to**
***(Applies to: Windows 11 & Windows 10)***
- Windows 10
- Windows 11
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications.
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
Windows Update for Business product family has three elements:
The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. It provides the following abilities:
- Client policy to govern update experiences and timing, which are available through Group Policy and CSPs
- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
- You can schedule deployment of updates to start on a specific date (for example, deploy 20H2 to specified devices on March 14, 2021).
- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices.
The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md).
The service is privacy focused and backed by leading industry compliance certifications.
:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family.":::
## How it works
## How the deployment service works
The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md).
With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated with Windows Update, once the admin defines the deployment behavior, Windows Update is already aware of how device should be directed to install updates when the device scans. The deployment service creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an admin.
:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text.":::
Windows Update for Business comprises three elements:
- Client policy to govern update experiences and timing available through Group Policy and CSPs
- Deployment service APIs to approve and schedule specific updates available through the Microsoft Graph and associated SDKs (including PowerShell)
- Windows Update for Business reports to monitor update deployment
Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
Using the deployment service typically follows a common pattern:
1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune.
2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
1. An admin uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app, or a more complete management solution such as Microsoft Intune.
2. The chosen management tool conveys your approval, scheduling, and device selection information to the deployment service.
3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune.
:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Diagram displaying ":::
## Prerequisites
The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as [Microsoft Intune](/mem/intune).
To work with the deployment service, devices must meet all these requirements:
## Capabilities of the Windows Update for Business deployment service
- Be running Windows 10, version 1709 or later (or Windows 11)
- Be joined to Azure Active Directory (AD) or Hybrid AD
- Have one of the following Windows 10 or Windows 11 editions installed:
- Pro
- Enterprise
- Education
- Pro Education
- Pro for Workstations
The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. The service provides the following capabilities for updates:
Additionally, your organization must have one of the following subscriptions:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
- **Approval and scheduling**: Approve and schedule deployment of updates to start on a specific date
- *Example*: Deploy the Windows 11 22H2 feature update to specified devices on February 17, 2023.
- **Gradual rollout**: Stage deployments over a period of days or weeks by specifying gradual rollout settings
- *Example*: Deploy the Windows 11 22H2 feature update to 500 devices per day, beginning on February 17, 2023
- **Expedite**: Bypass the configured Windows Update for Business policies to immediately deploy a security update across the organization
- **Safeguard holds**: Automatically holds the deployment for devices that may be impacted by an update issue identified by Microsoft machine-learning algorithms
## Getting started
Certain capabilities are available for specific update classifications:
To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
|Capabilities | [Quality updates](deployment-service-expedited-updates.md) | [Feature updates](deployment-service-feature-updates.md) | [Drivers and firmware](deployment-service-drivers.md)|
|---|---|---|---|
|Approval and scheduling | | Yes | Yes |
|Gradual rollout | | Yes | |
|Expedite | Yes | | |
|Safeguard holds| | Yes | |
### Using Microsoft Intune
Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
### Building your own application
Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
## Deployment protections
The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout.
### Schedule rollouts with automatic piloting
### Gradual rollout
The deployment service allows any update to be deployed over a period of days or weeks. Once an update has been scheduled, the deployment service optimizes the deployment based on the scheduling parameters and unique attributes spanning the devices being updated. The service follows these steps:
@ -106,80 +75,45 @@ The deployment service allows any update to be deployed over a period of days or
3. Start deploying to earlier waves to build coverage of device attributes present in the population.
4. Continue deploying at a uniform rate until all waves are complete and all devices are updated.
This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves.
You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring.
This built-in piloting capability complements your existing [deployment ring](waas-quick-start.md) structure and provides another support for reducing and managing risk during an update. This capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. Continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring.
### Safeguard holds against likely and known issues
Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out.
To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold)
Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service also extends safeguard holds to protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. To verify whether a device is affected by a safeguard hold, see [Am I affected by a safeguard hold?](/windows/deployment/update/safeguard-holds#am-i-affected-by-a-safeguard-hold).
### Monitoring deployments to detect rollback issues
During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
### How to enable deployment protections
## Get started with the deployment service
Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
To use the deployment service, you use a management tool built on the platform like Microsoft Intune, script common actions using PowerShell, or build your own application.
#### Device prerequisites
To learn more about the deployment service and the deployment process, see:
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
- [Prerequisites for Windows Update for Business deployment service](deployment-service-prerequisites.md)
- [Deploy feature updates using Graph Explorer](deployment-service-feature-updates.md)
- [Deploy expedited updates using Graph Explorer](deployment-service-expedited-updates.md)
- [Deploy driver and firmware updates using Graph Explorer](deployment-service-drivers.md)
#### Set the **AllowWUfBCloudProcessing** policy
### Scripting common actions using PowerShell
To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy.
The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
| Policy| Sets registry key under `HKLM\Software`|
|--|--|
| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` |
| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` |
### Building your own application
Following is an example of setting the policy using Intune:
Microsoft Graph makes deployment service APIs available through. Get started with the resources below:
1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
2. Select **Devices** > **Configuration profiles** > **Create profile**.
- Windows Update for Business deployment service [sample driver deployment application](https://github.com/microsoftgraph/windowsupdates-webapplication-sample) on GitHub
- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)
3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
### Use Microsoft Intune
4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **Integer**
- Value: **8**
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
7. In **Review + create**, review your settings, and then select **Create**.
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing`
## Best practices
Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General
Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.
## Next steps
To learn more about the deployment service, try the following:
Microsoft Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see:
- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates)
- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)
- [Expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates)

102
windows/deployment/update/deployment-service-prerequisites.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Prerequisites for the Windows Update for Business deployment service
description: Prerequisites for using the Windows Update for Business deployment service.
ms.prod: windows-client
author: mestew
ms.localizationpriority: medium
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 02/14/2023
---
# Windows Update for Business deployment service prerequisites
<!--7512398-->
***(Applies to: Windows 11 & Windows 10)***
Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
## Azure and Azure Active Directory
- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
- Devices must be Azure Active Directory-joined and meet the below OSrequirements.
- Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
## Licensing
Windows Update for Business deployment service requires users of the devices to have one of the following licenses:
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
## Operating systems and editions
- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
Windows Update for Business deployment service supports Windows client devices on the **General Availability Channel**.
### Windows operating system updates
- Expediting updates requires the *Update Health Tools* on the clients. The tools are are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device:
- Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**.
- As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`
- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
## Diagnostic data requirements
Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](deployment-service-drivers.md), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level (previously called *Basic*) for these features.
When you use [Windows Update for Business reports](wufb-reports-overview.md) in conjunction with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:
- *Optional* level (previously *Full*) for Windows 11 devices
- *Enhanced* level for Windows 10 devices
## Permissions
- [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
- Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions.
> [!NOTE]
> Leveraging other parts of the Graph API might require additional permissions. For example, to display [device](/graph/api/resources/device) information, a minimum of [Device.Read.All](/graph/permissions-reference#device-permissions) permission is needed.
## Required endpoints
- Have access to the following endpoints:
- [Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update)
- *.prod.do.dsp.mp.microsoft.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.update.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
- Windows Update for Business deployment service endpoints
- devicelistenerprod.microsoft.com
- login.windows.net
- payloadprod*.blob.core.windows.net
- [Windows Push Notification Services](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config): *(Recommended, but not required. Without this access, devices might not expedite updates until their next daily check for updates.)*
- *.notify.windows.com
## Limitations
<!--Using include for deployment service limitations-->
[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)]
## General tips for the deployment service
Follow these suggestions for the best results with the service:
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
- Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.

27
windows/deployment/update/deployment-service-troubleshoot.md
View File

@ -15,10 +15,7 @@ ms.date: 12/31/2017
# Troubleshoot the Windows Update for Business deployment service
**Applies to**
- Windows 10
- Windows 11
***(Applies to: Windows 11 & Windows 10)***
This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json).
@ -35,3 +32,25 @@ This troubleshooting guide addresses the most common issues that IT administrato
- Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
### The device installed a newer update then the expedited update I deployed
There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedite update policy.
Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots.
A more recent update is deployed when the following conditions are met:
- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install.
- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of:
- When the device restarts to complete installation
- When the device runs its daily scan
- When a new update becomes available
When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update.
While expedite update deployments will override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version.
<!--Using include for Update Health Tools log location-->
[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]

63
windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md Normal file
View File

@ -0,0 +1,63 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
A deployment audience is a collection of devices that you want to deploy updates to. The audience needs to be created first, then members are added to the audience. Use the following steps to create a deployment audience, add members, and verify it:
1. To create a new audience, **POST** to the [deployment audience](/graph/api/resources/windowsupdates-deploymentaudience) resource with a request body of `{}`.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences
content-type: application/json
{}
```
The POST returns an HTTP status code of `201 Created` as a response with the following body, where `id` is the **Audience ID**:
```json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/windows/updates/deploymentAudiences/$entity",
"id": "d39ad1ce-0123-4567-89ab-cdef01234567",
"reportingDeviceCount": 0,
"applicableContent": []
}
```
1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
content-type: application/json
{
"addMembers": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcdef"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde0"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde1"
}
]
}
```
1. To verify the devices were added to the audience, run the following query using the **Audience ID** of `d39ad1ce-0123-4567-89ab-cdef01234567`:
```msgraph-interactive
GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/members
```

45
windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md Normal file
View File

@ -0,0 +1,45 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
You enroll devices based on the types of updates you want them to receive. Currently, you can enroll devices to receive feature updates (`feature`) or drivers (`driver`). You can enroll devices to receive updates from multiple update classifications.
1. To enroll devices, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [enrollAssets](/graph/api/windowsupdates-updatableasset-enrollassets). The following example enrolls three devices to receive driver updates:
1. In Graph Explorer, select **POST** from the drop-down list for the HTTP verb.
1. Enter the following request into the URL field: </br>
`https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets`
1. In the **Request body** tab, enter the following JSON, supplying the following information:
- **Azure AD Device ID** as `id`
- Either `feature` or `driver` for the updateCategory
```json
{
"updateCategory": "driver",
"assets": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcdef"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde0"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde1"
}
]
}
```
1. Select the **Run query** button. The results will appear in the **Response** window. In this case, the HTTP status code of `202 Accepted`.
:::image type="content" source="../media/7512398-deployment-enroll-asset-graph.png" alt-text="Screenshot of successfully enrolling assets through Graph Explorer." lightbox="../media/7512398-deployment-enroll-asset-graph.png" :::

54
windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md Normal file
View File

@ -0,0 +1,54 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md, deployment-service-expedited-updates.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
Use the [device](/graph/api/resources/device) resource type to find clients to enroll into the deployment service. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters).
- Displays the **AzureAD Device ID** and **Name** of all devices:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/devices?$select=deviceid,displayName
```
- Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/devices?$filter=startswith (displayName,'Test')&$select=deviceid,displayName
```
### Add a request header for advanced queries
For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries).
1. In Graph Explorer, select the **Request headers** tab.
1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`.
1. Select the **Add** button. When you're finished, remove the request header by selecting the trash can icon.
:::image type="content" source="../media/7512398-deployment-service-graph-modify-header.png" alt-text="Screenshot of the request headers tab in Graph Explorer" lightbox="../media/7512398-deployment-service-graph-modify-header.png":::
- Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"?$select=displayName,operatingSystemVersion`
```
- To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion`
```
> [!Tip]
> Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`:
> - The `deviceid` is the **Azure AD Device ID** and will be used in this article.
> - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience.
> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article.

18
windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md Normal file
View File

@ -0,0 +1,18 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md, deployment-service-expedited-updates.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
The following permissions are needed for the queries listed in this article:
- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations.
- At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information.
Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions.

34
windows/deployment/update/includes/wufb-deployment-graph-explorer.md Normal file
View File

@ -0,0 +1,34 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md, deployment-service-expedited-updates.md, and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/windowsupdates-updates?view=graph-rest-beta&preserve-view=true) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/overview).
> [!WARNING]
>
> - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium).
> - Using a test tenant to verify the deployment process first is highly recommended. If you use a production tenant, ensure you verify which client devices you're targeting with deployments.
1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account.
1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission:
1. Select the **Modify permissions** tab in Graph Explorer.
1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent.
:::image type="content" source="../media/7512398-wufbds-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-wufbds-graph-modify-permission.png" :::
1. To make requests:
1. Select either GET, POST, PUT, PATCH, or DELETE from the drop-down list for the HTTP method.
1. Enter the request into the URL field. The version will populate automatically based on the URL.
1. If you need to modify the request body, edit the **Request body** tab.
1. Select the **Run query** button. The results will appear in the **Response** window.
> [!TIP]
> When reviewing [Microsoft Graph documentation](/graph/), you may notice example requests usually list `content-type: application/json`. Specifying `content-type` typically isn't required for Graph Explorer, but you can add it to the request by selecting the **Headers** tab and adding the `content-type` to the **Request headers** field as the **Key** and `application/json` as the **Value**.

42
windows/deployment/update/includes/wufb-deployment-graph-unenroll.md Normal file
View File

@ -0,0 +1,42 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-drivers.md and the deployment-service-feature-updates.md articles. Headings may be driven by article context. 7512398 -->
When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
- Existing driver deployments from the service won't be offered to the device
- The device will continue to receive feature updates from the deployment service
- Drivers may start being installed from Windows Update depending on the device's configuration
To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify:
- **Azure AD Device ID** as `id` for the device
- Either `feature` or `driver` for the updateCategory
The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets
content-type: application/json
{
"updateCategory": "driver",
"assets": [
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcdef"
},
{
"@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
"id": "01234567-89ab-cdef-0123-456789abcde0"
}
]
}
```

13
windows/deployment/update/includes/wufb-deployment-limitations.md Normal file
View File

@ -0,0 +1,13 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-overview.md and the deployment-service-prerequisites.md articles. Headings may be driven by article context. 7512398 -->
Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.

21
windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md Normal file
View File

@ -0,0 +1,21 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 02/14/2023
ms.localizationpriority: medium
---
<!--This file is shared by deployment-service-expedite.md and the deployment-service-troubleshoot.md articles. Headings may be driven by article context. 7512398 -->
## Log location for the Update Health Tools
The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools.
**Log location**: `%ProgramFiles%\Microsoft Update Health Tools\Logs`
- The logs are in `.etl` format.
- Microsoft offers [PerfView as a download on GitHub](https://github.com/Microsoft/perfview/blob/main/documentation/Downloading.md), which displays `.etl` files.
For more information, see [Troubleshooting expedited updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-the-most-out-of-expedited-windows-quality-updates/ba-p/3659741).

BIN
windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 158 KiB

BIN
windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/deployment/update/media/7512398-deployment-service-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/deployment/update/media/7539531-wufb-reports-workbook-drivers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 410 KiB

0
windows/deployment/update/images/wufb-do-overview.png → windows/deployment/update/media/wufb-do-overview.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 149 KiB

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/deployment/update/media/wufbds-product-large.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

2
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -23,6 +23,8 @@ Before you begin the process of adding Windows Update for Business reports to yo
- Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
## Permissions

7
windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
View File

@ -20,6 +20,7 @@ Update Event that combines the latest client-based data with the latest service-
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID |
|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
| **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
@ -29,9 +30,11 @@ Update Event that combines the latest client-based data with the latest service-
| **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate |
| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate |
| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. |
| **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. |
| **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. |
| **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. |
@ -40,8 +43,10 @@ Update Event that combines the latest client-based data with the latest service-
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType |
| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update) |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
| **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. |
| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |

2
windows/deployment/update/wufb-reports-schema-ucdevicealert.md
View File

@ -43,4 +43,4 @@ These alerts are activated as a result of an issue that is device-specific. It i
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update) |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver |

22
windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
View File

@ -20,15 +20,33 @@ Update Event that comes directly from the service-side. The event has only servi
|---|---|---|---|
| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. |
| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment |
| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited |
| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked |
| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
| **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created |
| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device |
| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy |
| **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. |
| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. |
| **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Azure AD tenant ID |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware |
| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device |
| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware |
| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware |

4
windows/deployment/update/wufb-reports-schema-ucupdatealert.md
View File

@ -42,8 +42,10 @@ Alert for both client and service updates. Contains information that needs atten
| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) |
| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
| **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|

43
windows/deployment/update/wufb-reports-workbook.md
View File

@ -15,14 +15,15 @@ ms.technology: itpro-updates
***(Applies to: Windows 11 & Windows 10)***
[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into four tab sections:
[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into tab sections:
- [Summary](#summary-tab)
- [Quality updates](#quality-updates-tab)
- [Feature updates](#feature-updates-tab)
- [Delivery Optimization](#bkmk_do)
- [Driver updates](#driver-updates-tab)
:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook with the three tabbed sections outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png":::
:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook. The three tabbed sections are outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png":::
## Open the Windows Update for Business reports workbook
@ -137,7 +138,40 @@ The **Device status** group for feature updates contains the following items:
- **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
## <a name="bkmk_do"></a> Delivery Optimization (preview tab)
## Driver updates tab
The **Driver update** tab provides information on driver and firmware update deployments from [Windows Update for Business deployment service](deployment-service-overview.md). Generalized data is at the top of the page in tiles. The data becomes more specific as you navigate lower in this tab. The top of the driver updates tab contains tiles with the following information:
**Devices taking driver updates**: Count of devices that are installing driver and firmware updates.
**Approved updates**: Count of approved driver updates
**Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md)
**Active alerts**: Count of active alerts for driver deployments
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
:::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png":::
Just like the [**Quality updates**](#quality-updates-tab) and [**Feature updates**](#feature-updates-tab) tabs, the **Driver updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. These different chart groups allow you to easily discover trends in compliance data.
### <a name="bkmk_update-group-driver"></a> Update status group for drivers
The **Update status** group for driver updates contains the following items:
- **Update states for all driver updates**: Chart containing the number of devices in a specific state, such as installing, for driver updates.
- **Distribution of Driver Classes**: Chart containing the number of drivers in a specific class.
- **Update alerts for all driver updates**: Chart containing the count of active errors and warnings for driver updates.
The **Update deployment status** table displays information about deployed driver updates for your devices. Drill-in further by selecting a value from the **TotalDevices** column to display the status of a specific driver for a specific policy along with information about the installation status for each device.
### <a name="bkmk_device-group-driver"></a> Device status group for driver updates
The **Device status** group for driver updates contains the following items:
- **Device alerts**: Count of active device alerts for driver updates in each alert classification.
- **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
## <a name="bkmk_do"></a> Delivery Optimization
The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
@ -154,7 +188,8 @@ The Delivery Optimization tab is further divided into the following groups:
- **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**.
- **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**.
:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png":::
:::image type="content" source="media/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="media/wufb-do-overview.png":::
## Customize the workbook

2
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
View File

@ -91,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad
Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
There are two automated deployment ring remediation functions:

7
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
View File

@ -71,7 +71,12 @@ Windows Autopatch uses Microsoft Intunes built-in solution, which uses config
Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
## Pausing and resuming a release
## Release management
> [!NOTE]
> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
### Pausing and resuming a release
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).

3
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
View File

@ -54,6 +54,9 @@ Windows Autopatch configures these policies differently across deployment rings
## Release management
> [!NOTE]
> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
In the Release management blade, you can:
- Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings).

3
windows/hub/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier1"
],
"audience": "ITPro",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",

4
windows/security/cryptography-certificate-mgmt.md
View File

@ -1,7 +1,6 @@
---
title: Cryptography and Certificate Management
description: Get an overview of cryptography and certificate management in Windows
search.appverid: MET150
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
@ -9,9 +8,6 @@ ms.topic: conceptual
ms.date: 09/07/2021
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
ms.reviewer: skhadeer, raverma
---

3
windows/security/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.localizationpriority": "medium",

33
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -27,13 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
## Azure AD Kerberos and cloud Kerberos trust authentication
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\
*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.
*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require a PKI to request TGTs.
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
@ -44,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r
For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
> [!IMPORTANT]
> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
## Prerequisites
@ -72,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
## Deployment steps
Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps:
Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
1. Set up *Azure AD Kerberos*
1. Set up Azure AD Kerberos
1. Configure a Windows Hello for Business policy and deploy it to the devices
### Deploy Azure AD Kerberos
@ -85,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl
### Configure Windows Hello for Business policy
After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -115,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog.
### Configure cloud Kerberos trust policy
To configure the *cloud Kerberos trust* policy, follow the steps below:
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
@ -155,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective
#### Create the Windows Hello for Business group policy object
You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO).
You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO).
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
1. Edit the Group Policy object from Step 1
@ -167,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke
---
> [!IMPORTANT]
> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*.
> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*.
## Provision Windows Hello for Business
@ -195,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell
### Sign-in
Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
## Migrate from key trust deployment model to cloud Kerberos trust
If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps:
If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps:
1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
@ -208,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want
> [!NOTE]
> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
>
> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails.
> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails.
## Migrate from certificate trust deployment model to cloud Kerberos trust
> [!IMPORTANT]
> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps:
If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
1. Disable the certificate trust policy
1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
> [!NOTE]
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users:
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).

6
windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match.
## What happens when PCR banks are switched?
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldnt match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker or have y
## How can I identify which PCR bank is being used?
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
- DWORD: TPMActivePCRBanks<br>

169
windows/security/threat-protection/windows-platform-common-criteria.md
View File

@ -2,13 +2,13 @@
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
ms.prod: windows-client
ms.author: paoloma
author: paolomatarazzo
ms.author: sushmanemali
author: s4sush
manager: aaroncz
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/4/2022
ms.reviewer:
ms.reviewer: paoloma
ms.technology: itpro-security
---
@ -24,12 +24,16 @@ The product releases below are currently certified against the cited *Protection
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
For more details, expand each product section.
### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge
<br>
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
<details>
<summary><b> Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)</b></summary>
- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf)
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
@ -38,10 +42,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
</details>
<details>
<summary><b> Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V</b></summary>
### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V
Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.
@ -50,10 +51,7 @@ Certified against the Protection Profile for Virtualization, including the Exten
- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf)
- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1909, Windows Server, version 1909</b></summary>
### Windows 10, version 1909, Windows Server, version 1909
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.</b></summary>
@ -62,10 +60,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1903, Windows Server, version 1903</b></summary>
### Windows 10, version 1903, Windows Server, version 1903
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.</b></summary>
@ -74,10 +69,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1809, Windows Server, version 1809</b></summary>
### Windows 10, version 1809, Windows Server, version 1809
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
@ -86,10 +78,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1803, Windows Server, version 1803</b></summary>
### Windows 10, version 1803, Windows Server, version 1803
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
@ -98,10 +87,7 @@ Certified against the Protection Profile for General Purpose Operating Systems,
- [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1709, Windows Server, version 1709</b></summary>
### Windows 10, version 1709, Windows Server, version 1709
Certified against the Protection Profile for General Purpose Operating Systems.
@ -110,10 +96,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1703, Windows Server, version 1703</b></summary>
### Windows 10, version 1703, Windows Server, version 1703
Certified against the Protection Profile for General Purpose Operating Systems.
@ -122,10 +105,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows Server 2016</b></summary>
### Windows 10, version 1607, Windows Server 2016
Certified against the Protection Profile for General Purpose Operating Systems.
@ -134,10 +114,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507, Windows Server 2012 R2</b></summary>
### Windows 10, version 1507, Windows Server 2012 R2
Certified against the Protection Profile for General Purpose Operating Systems.
@ -146,8 +123,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
</details>
## Archived certified products
The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1):
@ -156,12 +131,7 @@ The product releases below were certified against the cited *Protection Profile*
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
For more details, expand each product section.
<br>
<details>
<summary><b> Windows Server 2016, Windows Server 2012 R2, Windows 10</b></summary>
### Windows Server 2016, Windows Server 2012 R2, Windows 10
Certified against the Protection Profile for Server Virtualization.
@ -170,10 +140,7 @@ Certified against the Protection Profile for Server Virtualization.
- [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows 10 Mobile, version 1607</b></summary>
### Windows 10, version 1607, Windows 10 Mobile, version 1607
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -182,10 +149,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1607, Windows Server 2016</b></summary>
### Windows 10, version 1607, Windows Server 2016
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -194,10 +158,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1511</b></summary>
### Windows 10, version 1511
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -206,10 +167,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507, Windows 10 Mobile, version 1507</b></summary>
### Windows 10, version 1507, Windows 10 Mobile, version 1507
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -218,10 +176,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 10, version 1507</b></summary>
### Windows 10, version 1507
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -230,10 +185,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
</details>
<details>
<summary><b> Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830</b></summary>
### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -241,10 +193,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
</details>
<details>
<summary><b> Surface Pro 3, Windows 8.1</b></summary>
### Surface Pro 3, Windows 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -252,10 +201,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
</details>
<details>
<summary><b> Windows 8.1, Windows Phone 8.1</b></summary>
### Windows 8.1, Windows Phone 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
@ -263,10 +209,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
- [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows Server 2012</b></summary>
### Windows 8, Windows Server 2012
Certified against the Protection Profile for General Purpose Operating Systems.
@ -274,10 +217,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows RT</b></summary>
### Windows 8, Windows RT
Certified against the Protection Profile for General Purpose Operating Systems.
@ -285,10 +225,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows Server 2012 BitLocker</b></summary>
### Windows 8, Windows Server 2012 BitLocker
Certified against the Protection Profile for Full Disk Encryption.
@ -296,10 +233,7 @@ Certified against the Protection Profile for Full Disk Encryption.
- [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
</details>
<details>
<summary><b> Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client</b></summary>
### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
@ -307,10 +241,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
- [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
</details>
<details>
<summary><b> Windows 7, Windows Server 2008 R2</b></summary>
### Windows 7, Windows Server 2008 R2
Certified against the Protection Profile for General Purpose Operating Systems.
@ -318,46 +249,31 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
</details>
<details>
<summary><b> Microsoft Windows Server 2008 R2 Hyper-V Role</b></summary>
### Microsoft Windows Server 2008 R2 Hyper-V Role
- [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
- [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
</details>
<details>
<summary><b> Windows Vista, Windows Server 2008 at EAL4+</b></summary>
### Windows Vista, Windows Server 2008 at EAL4+
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
</details>
<details>
<summary><b> Windows Vista, Windows Server 2008 at EAL1</b></summary>
### Windows Vista, Windows Server 2008 at EAL1
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
</details>
<details>
<summary><b> Microsoft Windows Server 2008 Hyper-V Role</b></summary>
### Microsoft Windows Server 2008 Hyper-V Role
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
</details>
<details>
<summary><b> Windows Server 2003 Certificate Server</b></summary>
### Windows Server 2003 Certificate Server
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
@ -366,12 +282,7 @@ Certified against the Protection Profile for General Purpose Operating Systems.
- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
</details>
<details>
<summary><b> Windows Rights Management Services</b></summary>
### Windows Rights Management Services
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
</details>

2
windows/whats-new/TOC.yml
View File

@ -31,5 +31,7 @@
href: feature-lifecycle.md
- name: Deprecated Windows features
href: deprecated-features.md
- name: Resources for deprecated features
href: deprecated-features-resources.md
- name: Removed Windows features
href: removed-features.md

72
windows/whats-new/deprecated-features-resources.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Resources for deprecated features in the Windows client
description: Resources and details for deprecated features in the Windows Client.
ms.date: 12/10/2022
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
author: mestew
ms.author: mstewart
manager: aaroncz
ms.reviewer:
ms.topic: reference
---
# Resources for deprecated features
**Applies to**
- Windows 10
- Windows 11
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
## Microsoft Support Diagnostic Tool resources
The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters).
If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change will allow you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require additional assistance.
### Redirected MSDT troubleshooters
The following troubleshooters will automatically be redirected when you access them from **Start** > **Settings** > **System** > **Troubleshoot**:
- Background Intelligent Transfer Service (BITS)
- Bluetooth
- Internet Connections
- Network Adapter
- Playing Audio
- Printer
- Program Compatibility Troubleshooter
- Recording Audio
- Video Playback
- Windows Network Diagnostics
- Windows Media Player DVD
- Windows Media Player Library
- Windows Media Player Settings
- Windows Update
### Retired MSDT troubleshooters
The following troubleshooters will be removed in a future release of Windows:
- Connection to a Workplace using DirectAccess
- Devices and Printers
- Hardware and Devices
- HomeGroup
- Incoming Connections
- Internet Explorer Performance
- Internet Explorer Safety
- Keyboard
- Power
- Search and Indexing
- Speech
- System Maintenance
- Shared Folders
- Windows Store Apps
## Next steps
- [Windows feature lifecycle](feature-lifecycle.md)
- [Deprecated Windows features](deprecated-features.md)
- [Removed Windows features](removed-features.md)

1
windows/whats-new/deprecated-features.md
View File

@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b
|Feature | Details and mitigation | Deprecation announced |
| ----------- | --------------------- | ---- |
| Microsoft Support Diagnostic Tool (MSDT) <!--6968128--> | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm <!--7116112-->| This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.</br> </br> Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Windows Information Protection <!-- 6010051 --> | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).<br> <br>For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |

3
windows/whats-new/docfx.json
View File

@ -34,6 +34,9 @@
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"ms.collection": [
"tier2"
],
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",