From e5a2b3447512a2cd73182617bed4dd5fd8fc1484 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Sat, 14 Jan 2023 14:42:03 -0700 Subject: [PATCH 01/66] DO doc updates --- windows/deployment/do/delivery-optimization-workflow.md | 1 - windows/deployment/do/index.yml | 3 +-- windows/deployment/do/waas-delivery-optimization-setup.md | 7 +++---- windows/deployment/do/waas-delivery-optimization.md | 4 ++-- 4 files changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 6d8accfe59..9e8de883b6 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -22,7 +22,6 @@ ms.date: 12/31/2017 This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. - 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). 2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 5cbe1535a0..8ba99b0ff9 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -59,8 +59,7 @@ landingContent: - text: Optimize Windows 10 or later update delivery with Configuration Manager url: /mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization - text: Delivery Optimization settings in Microsoft Intune - url: /mem/intune/configuration/delivery-optimization-windows - + url: /mem/intune/configuration/delivery-optimization-windows # Card - title: Microsoft Connected Cache (MCC) for Enterprise and Education diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 44ace484d1..3b1b128b64 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -35,7 +35,6 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). - ## Recommended Delivery Optimization settings Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). @@ -63,7 +62,7 @@ Quick-reference table: ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when neither the GroupID or GroupIDSource policies are set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -71,7 +70,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across Boundary Groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -106,11 +105,11 @@ To do this in Group Policy, go to **Computer Configuration\Administrative Templa To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). +[Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios. [!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] - ### Monitor with Update Compliance Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 149bfe398d..c3f1a72783 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -23,9 +23,9 @@ ms.date: 12/31/2017 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](deploy-whats-new#windows-update-for-business), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). -Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. +Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the service will look for peers and cached content in parallel. If the desired content is not available, it will automatically fallback to the HTTP source to get the requested content. For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). From 8098d8f4da3e3d53f9b7d8a1925b6909f75e91b8 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Sat, 14 Jan 2023 15:24:54 -0700 Subject: [PATCH 02/66] Fix broken link --- windows/deployment/do/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index c3f1a72783..016fd1aef9 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -23,7 +23,7 @@ ms.date: 12/31/2017 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](deploy-whats-new#windows-update-for-business), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the service will look for peers and cached content in parallel. If the desired content is not available, it will automatically fallback to the HTTP source to get the requested content. From 8f1bcd87b8e00faa1cbd6f32e2381c19c7b9d557 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 11:19:17 -0700 Subject: [PATCH 03/66] Addressed feedback, other minor changes --- .../do/waas-delivery-optimization-reference.md | 8 +++----- .../do/waas-delivery-optimization-setup.md | 18 +++++++++--------- .../do/waas-optimize-windows-10-updates.md | 2 +- 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 6564dcd26e..ce85a61cb0 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -22,7 +22,7 @@ ms.date: 12/31/2017 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=103506). -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). +There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md). ## Delivery Optimization options @@ -31,14 +31,13 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -[//]: # (something about Intune UX--perhaps link to relevant Intune docs?) - ### Summary of Delivery Optimization settings | Group Policy setting | MDM setting | Supported from version | | --- | --- | --- | | [Download mode](#download-mode) | DODownloadMode | 1511 | | [Group ID](#group-id) | DOGroupID | 1511 | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | | [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | | [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | | [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | @@ -58,7 +57,6 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | | [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | | [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | | [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | | [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | | [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | @@ -259,7 +257,7 @@ The device can download from peers while on battery regardless of this policy. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy is empty.** >[!IMPORTANT] > Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 0df4f87d64..3eaf625959 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -29,7 +29,7 @@ You will find the Delivery Optimization settings in Group Policy under **Compute Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). -**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. +**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. ## Allow content endpoints @@ -58,11 +58,11 @@ Quick-reference table: | Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | | Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | | Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | -| Labs with AC-powered devices | Content Expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | +| Labs with AC-powered devices | Content expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when neither the GroupID or GroupIDSource policies are set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when neither the GroupID or GroupIDSource policies are set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -70,14 +70,14 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across Boundary Groups, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set *RestrictPeerSelectionBy* policies to restrict the activity to the subnet or set a different source for Groups by using the GroupIDSrc parameter. See [Select a method to restrict peer selection](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection). +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set a different source for Groups by using the the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. > [!NOTE] -> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). +> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). ### Large number of mobile devices @@ -134,17 +134,17 @@ If you don't see any bytes coming from peers the cause might be one of the follo Try these steps: 1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga"). -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, DownloadMode should be 1, 2, or 3. -3. If DownloadMode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3. +3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. ### The cloud service doesn't see other peers on the network Try these steps: 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. -2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. +2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. -4. If the number of peers is zero and **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[GroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 5d39e69f91..75673f3bad 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -47,7 +47,7 @@ Two methods of peer-to-peer content distribution are available. > [!NOTE] > Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Pre-installation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery From 11272e9eda5736a3d190323c14ec51cb26ff01c4 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 11:53:32 -0700 Subject: [PATCH 04/66] Add clarity and accuracy --- windows/deployment/do/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 016fd1aef9..5b8f27bc90 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.date: 12/31/2017 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). -Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the service will look for peers and cached content in parallel. If the desired content is not available, it will automatically fallback to the HTTP source to get the requested content. +Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the service will make multiple connections to the HTTP source, peers, and cached content in parallel. If the desired content is not available, from neither peers nor cache, it will automatically fallback to the HTTP source to get the requested content. For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). From 1575f7edb12354fcb95fa2ea256bafd096d93733 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 11:57:35 -0700 Subject: [PATCH 05/66] More edits --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 3eaf625959..4146822e1f 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -70,7 +70,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else. If you're not using Active Directory sites, you should set a different source for Groups by using the the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. From 3b2bfeb3bd2e89841eb1a86a0e15b99706edff76 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 14:42:22 -0700 Subject: [PATCH 06/66] Adding details to table --- .../waas-delivery-optimization-reference.md | 84 +++++++++---------- .../do/waas-delivery-optimization.md | 2 +- 2 files changed, 42 insertions(+), 44 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index ce85a61cb0..3d5163a226 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -33,43 +33,41 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz ### Summary of Delivery Optimization settings -| Group Policy setting | MDM setting | Supported from version | +| Group Policy setting | MDM setting | Supported from version | Notes | | --- | --- | --- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | -| [Group ID](#group-id) | DOGroupID | 1511 | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | -| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | -| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | -| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | -| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | -| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | -| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | -| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | -| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| -| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | -| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | -| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | -| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | -| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | -| [MaxForegroundDownloadBandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | -| [MaxBackgroundDownloadBandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | -| [SetHoursToLimitBackgroundDownloadBandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | -| [SetHoursToLimitForegroundDownloadBandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | -| [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) |DORestrictPeerSelectionBy | 1803 | -| [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | -| [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | -| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | -| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | -| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | -| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | -| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | +| [Download mode](#download-mode) | DODownloadMode | 1511 | The Group [Download mode](#download-mode) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check GroupIDSource. When neither the GroupID or GroupIDSource policies are set, the Group ID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check GroupID. When neither the GroupID or GroupIDSource policies are set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices will default to using 'Subnet'. | +| [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | +| [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | +| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | | +| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | | +| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | | +| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | | +| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | | +| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | | +| [Maximum foreground download bandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | | +| [Maximum background download bandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | | +| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | | +| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | | +| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | | +| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | | +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | | +| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | | ### More detail on Delivery Optimization settings -[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. - Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. @@ -93,8 +91,8 @@ Additional options available that control the impact Delivery Optimization has o - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. -- [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. +- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: @@ -126,8 +124,6 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (Configuration Manager boundary group option; GroupID Source policy) - >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) > @@ -137,7 +133,7 @@ By default, peer sharing on clients using the Group download mode (option 2) is Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are: -- 0 = not set +- 0 = Not set - 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) @@ -215,21 +211,23 @@ If Group mode is set, Delivery Optimization will connect to locally discovered p The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. -### Delay background download from http (in secs) +### Delay background download from HTTP (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** -### Delay foreground download from http (in secs) +### Delay foreground download from HTTP (in secs) Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** ### Delay Foreground Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy is not set.** + +By default this policy is not set. So, ### Delay Background Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy is not set.** ### Minimum Background QoS diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 5b8f27bc90..ea50caf02b 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.date: 12/31/2017 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). -Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization. When Delivery Optimization is configured to use peers and Microsoft Connected Cache, to achieve the best possible content delivery experience, the service will make multiple connections to the HTTP source, peers, and cached content in parallel. If the desired content is not available, from neither peers nor cache, it will automatically fallback to the HTTP source to get the requested content. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). From 9b758e9abf4640bc02a2ee69dd49f441f3f45834 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 18:53:17 -0700 Subject: [PATCH 07/66] Add details to new table. --- .../waas-delivery-optimization-reference.md | 80 ++++++++++++------- 1 file changed, 51 insertions(+), 29 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 3d5163a226..09e5048ef8 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -35,39 +35,41 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | Group Policy setting | MDM setting | Supported from version | Notes | | --- | --- | --- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | The Group [Download mode](#download-mode) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is '1'. The Group [Download mode](#download-mode) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| | [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check GroupIDSource. When neither the GroupID or GroupIDSource policies are set, the Group ID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | | [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check GroupID. When neither the GroupID or GroupIDSource policies are set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices will default to using 'Subnet'. | | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | -| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | | -| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | | -| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | | -| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | | -| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | | -| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| | -| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| | -| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | | -| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | | -| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | | -| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | | -| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | | -| [Maximum foreground download bandwidth](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | | -| [Maximum background download bandwidth](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | | -| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | | -| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | | -| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | | -| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | | -| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | | -| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | | -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | | -| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | | -| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | | +| [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). | +| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20. | +| [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| +| [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50MB | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value for this setting is 20 GB. | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500KB/s. | +| [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | +| [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | +| [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | +| [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | +| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default is not set. | +| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default is not set. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | For peering, use this policy to delay the fallback to the HTTP source. Default is not set. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | For peering, Use this policy to delay the fallback to the HTTP source. Default is not set. | +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. Default is not set.| +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | For cached content (using Microsoft Connected Cache)Default is not set.| +| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | By default, this policy has no value. | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | By default, this policy has no value. | ### More detail on Delivery Optimization settings +#### Locally cached updates + Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. @@ -79,6 +81,8 @@ Delivery Optimization uses locally cached updates. In cases where devices have a All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). +#### Impact to network + Additional options available that control the impact Delivery Optimization has on your network include the following: - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. @@ -91,8 +95,26 @@ Additional options available that control the impact Delivery Optimization has o - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. -- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. - [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +#### Delay options explained + +There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings to is provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. + +##### Peer-to-peer delay settings + +- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +##### Microsoft Connected Cache (MCC) delay settings + +- [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server. +- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server. + +If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings. This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server. + +#### System resource usage Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: @@ -193,7 +215,7 @@ This setting specifies the maximum download bandwidth that Delivery Optimization ### Max Upload Bandwidth -This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth @@ -231,7 +253,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s** +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s.** ### Modify Cache Drive @@ -255,7 +277,7 @@ The device can download from peers while on battery regardless of this policy. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy is empty.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** >[!IMPORTANT] > Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. From 8a318d9365b1b6d4884f97573e7af6a0b2e9710e Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 25 Jan 2023 19:15:28 -0700 Subject: [PATCH 08/66] Updates --- .../waas-delivery-optimization-reference.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 09e5048ef8..ea14267b83 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -34,22 +34,22 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz ### Summary of Delivery Optimization settings | Group Policy setting | MDM setting | Supported from version | Notes | -| --- | --- | --- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is '1'. The Group [Download mode](#download-mode) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| -| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check GroupIDSource. When neither the GroupID or GroupIDSource policies are set, the Group ID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check GroupID. When neither the GroupID or GroupIDSource policies are set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | -| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices will default to using 'Subnet'. | +| --- | --- | --- | ------- | +| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When neither the GroupID or GroupIDSource policies are set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When neither the GroupID or GroupIDSource policies are set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. | | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | | [Max cache age](#max-cache-age) | DOMaxCacheAge | 1511 | Default value is 259,200 seconds (three days). | -| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20. | +| [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20%. | | [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| | [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | -| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50MB | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50MB. | | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | | [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | | [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | -| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value for this setting is 20 GB. | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value for is 20 GB. | | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500KB/s. | | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | @@ -59,12 +59,12 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | | [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default is not set. | | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default is not set. | -| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | For peering, use this policy to delay the fallback to the HTTP source. Default is not set. | -| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | For peering, Use this policy to delay the fallback to the HTTP source. Default is not set. | -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. Default is not set.| -| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | For cached content (using Microsoft Connected Cache)Default is not set.| -| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | By default, this policy has no value. | -| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | By default, this policy has no value. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default is not set. For peering, use this policy to delay the fallback to the HTTP source. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default is not set. For peering, Use this policy to delay the fallback to the HTTP source. | +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default is not set. For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default is not set. For cached content (using Microsoft Connected Cache).| +| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | +| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | ### More detail on Delivery Optimization settings @@ -98,7 +98,7 @@ Additional options available that control the impact Delivery Optimization has o - [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -#### Delay options explained +#### Delay options There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings to is provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. @@ -112,7 +112,7 @@ There are four settings that allow you to control the default behavior and delay - [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server. - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server. -If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings. This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server. +**If both peer-to-peer and MCC are configured, the peer-to-peer delay settings will take precedence over the cache server delay settings.** This allows Delivery Optimization to discover peers first then recognize the fallback setting for the MCC cache server. #### System resource usage @@ -181,7 +181,7 @@ In environments configured for Delivery Optimization, you might want to set an e ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**. ### Absolute Max Cache Size From 06aabd45bba432acd09eb2a90c757637967221e5 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 26 Jan 2023 12:30:23 -0700 Subject: [PATCH 09/66] Addressed Acrolinx feedback --- .../do/delivery-optimization-workflow.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 9e8de883b6..b0c170be89 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -20,13 +20,13 @@ ms.date: 12/31/2017 ## Download request workflow -This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, and content verification. 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). -2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. +2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer. 3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. 4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. -5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to "simple mode”. Simple mode will only pull content from the HTTP source and peer-to-peer won't be allowed. 6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. ## Delivery Optimization service endpoint and data information @@ -34,8 +34,8 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r |Endpoint hostname | Port|Name|Description|Data sent from the computer to the endpoint |--------------------------------------------|--------|---------------|-----------------------|------------------------| | geover-prod.do.dsp.mp.microsoft.com
geo-prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
**doClientVersion**: The version of the DoSvc client
**groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | -| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | -| cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | -| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | -| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services and device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping ID
**CacheHost**: Cache host ID | +| cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogID**: If ContentID isn't available, use the download URL instead
**eID**: Client grouping ID
**CacheHost**: Cache host ID | +| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentID**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionID**: Client partitioning hint
**altCatalogID**: If ContentID isn't available, use the download URL instead
**eID**: Client grouping ID | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentID**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogID**: If ContentID isn't available, use the download URL instead
**PeerID**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eID**: Client grouping ID | | dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | From 76839b80a8e429db374ae7da0abda7b8e1628a0a Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Sun, 29 Jan 2023 19:49:41 -0700 Subject: [PATCH 10/66] Address Acorlinx feedback --- .../do/delivery-optimization-workflow.md | 2 +- .../waas-delivery-optimization-reference.md | 24 +++++++++---------- .../do/waas-delivery-optimization-setup.md | 16 ++++++------- .../do/waas-delivery-optimization.md | 2 +- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index b0c170be89..5083d8f0da 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -20,7 +20,7 @@ ms.date: 12/31/2017 ## Download request workflow -This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, and content verification. +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to verify the content and to determine all available locations to pull content from. 1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). 2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to use peer-to-peer. diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index ea14267b83..7be331f0fe 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -36,8 +36,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | Group Policy setting | MDM setting | Supported from version | Notes | | --- | --- | --- | ------- | | [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| -| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When neither the GroupID or GroupIDSource policies are set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When neither the GroupID or GroupIDSource policies are set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies are not set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies are not set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. | | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | @@ -45,12 +45,12 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Max cache size](#max-cache-size) | DOMaxCacheSize | 1511 | Default value is 20%. | | [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| | [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | -| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50MB. | +| [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. | | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | | [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | | [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | -| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value for is 20 GB. | -| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500KB/s. | +| [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500 KB/s. | | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | @@ -70,7 +70,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz #### Locally cached updates -Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: +Delivery Optimization uses locally cached updates to deliver contact via peers. The more content available in the cache, the more likely that peering can be used. In cases where devices have enough local storage and you'd like to cache more content. Likewise, if you have limited storage and would prefer to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. @@ -83,7 +83,7 @@ All cached files have to be above a set minimum size. This size is automatically #### Impact to network -Additional options available that control the impact Delivery Optimization has on your network include the following: +More options available that control the impact Delivery Optimization has on your network include the following: - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. @@ -100,7 +100,7 @@ Additional options available that control the impact Delivery Optimization has o #### Delay options -There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings to is provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. +There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings is to provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. ##### Peer-to-peer delay settings @@ -125,7 +125,7 @@ Administrators can further customize scenarios where Delivery Optimization will ### Download mode -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Additional technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). +Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. Other technical details for these policies are available in [Policy CSP - Delivery Optimization](/windows/client-management/mdm/policy-csp-deliveryoptimization). | Download mode option | Functionality when set | | --- | --- | @@ -162,7 +162,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies are not set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching @@ -189,7 +189,7 @@ This setting specifies the maximum number of gigabytes the Delivery Optimization ### Minimum Peer Caching Content File Size -This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering. +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50 MB** to participate in peering. ### Maximum Download Bandwidth @@ -253,7 +253,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s.** +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500 KB/s.** ### Modify Cache Drive diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 4146822e1f..1a9aa58c09 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -33,7 +33,7 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat ## Allow content endpoints -When using a firewall, it is important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). +When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). ## Recommended Delivery Optimization settings @@ -62,7 +62,7 @@ Quick-reference table: ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when neither the GroupID or GroupIDSource policies are set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies are not set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -70,7 +70,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -89,11 +89,11 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Plentiful free space and large numbers of devices -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices). -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). +To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices). ### Lab scenario @@ -144,7 +144,7 @@ Try these steps: 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. 2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. -4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices are not reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. @@ -154,7 +154,7 @@ Try these steps: Try a Telnet test between two devices on the network to ensure they can connect using port 7680. Follow these steps: 1. Install Telnet by running `dism /online /Enable-Feature /FeatureName:TelnetClient` from an elevated command prompt. -2. Run the test. For example, if you are on device with IP 192.168.8.12 and you are trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You will either see a connection error or a blinking cursor like this /_. The blinking cursor means success. +2. Run the test. For example, if you are on device with IP 192.168.8.12 and you're trying to test the connection to 192.168.9.17 run `telnet 192.168.9.17 7680` (the syntax is *telnet [destination IP] [port]*. You'll either see a connection error or a blinking cursor like this /_. The blinking cursor means success. > [!NOTE] > You can also use [Test-NetConnection](/powershell/module/nettcpip/test-netconnection) instead of Telnet to run the test. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index ea50caf02b..6a2cf4f44b 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.date: 12/31/2017 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). -To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). From 0486fd40a0988d1a7c9c0cb6f212f64c2a434c6e Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 30 Jan 2023 09:29:08 -0700 Subject: [PATCH 11/66] Adding clarity, tone, correctness --- .../waas-delivery-optimization-reference.md | 52 +++++++++---------- .../do/waas-delivery-optimization-setup.md | 6 +-- .../do/waas-delivery-optimization.md | 2 +- .../do/waas-optimize-windows-10-updates.md | 2 +- 4 files changed, 31 insertions(+), 31 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 7be331f0fe..a1e2a540e9 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -28,7 +28,7 @@ There are many configuration options you can set in Delivery Optimization to cus You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. ### Summary of Delivery Optimization settings @@ -36,8 +36,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | Group Policy setting | MDM setting | Supported from version | Notes | | --- | --- | --- | ------- | | [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| -| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies are not set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | -| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies are not set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | +| [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group will be defined as the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. | | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, consumer devices default to using 'Local discovery (DNS-SD)' and commercial devices default to using 'Subnet'. | | [Minimum RAM (inclusive) allowed to use peer caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | Default value is 4 GB. | | [Minimum disk size allowed to use peer caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | Default value is 32 GB. | @@ -57,12 +57,12 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | | [Maximum foreground download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | -| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default is not set. | -| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default is not set. | -| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default is not set. For peering, use this policy to delay the fallback to the HTTP source. | -| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default is not set. For peering, Use this policy to delay the fallback to the HTTP source. | -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default is not set. For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. | -| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default is not set. For cached content (using Microsoft Connected Cache).| +| [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. | +| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, Use this policy to delay the fallback to the HTTP source. | +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For cached content (using Microsoft Connected Cache).| | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | @@ -100,7 +100,7 @@ More options available that control the impact Delivery Optimization has on your #### Delay options -There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings is to provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content cannot be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. +There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings is to provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. ##### Peer-to-peer delay settings @@ -134,7 +134,7 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | +|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | > [!NOTE] > Starting in Windows 11, the Bypass option of Download Mode is no longer used. @@ -144,7 +144,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) @@ -162,7 +162,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies are not set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching @@ -200,11 +200,11 @@ This setting specifies the maximum download bandwidth that can be used across al ### Maximum Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Maximum Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers aren't throttled even when this policy is set. ### Percentage of Maximum Download Bandwidth @@ -215,19 +215,19 @@ This setting specifies the maximum download bandwidth that Delivery Optimization ### Max Upload Bandwidth -This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0" or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it doesn't cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Set Business Hours to Limit Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy isn't set.** ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). @@ -235,21 +235,21 @@ The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered polic ### Delay background download from HTTP (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** ### Delay foreground download from HTTP (in secs) -Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy isn't set.** ### Delay Foreground Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy is not set.** +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If the 'Delay foreground download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** -By default this policy is not set. So, +By default this policy isn't set. So, ### Delay Background Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy is not set.** +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If the 'Delay background download from HTTP' policy is set, it will apply first (to allow downloads from peers) and then this policy will be applied. **By default, this policy isn't set.** ### Minimum Background QoS @@ -265,7 +265,7 @@ This setting specifies the total amount of data in gigabytes that a Delivery Opt ### Enable Peer Caching while the device connects via VPN -This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. ### Allow uploads while the device is on battery while under set Battery level @@ -280,7 +280,7 @@ The device can download from peers while on battery regardless of this policy. Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** >[!IMPORTANT] -> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. +> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty. ### Cache Server Hostname Source diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 1a9aa58c09..e1b05ae914 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -25,7 +25,7 @@ ms.date: 12/19/2022 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. +You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). @@ -56,13 +56,13 @@ Quick-reference table: | Use case | Policy | Recommended value | Reason | | --- | --- | --- | --- | | Hub & spoke topology | Download mode | 1 or 2 | Automatic grouping of peers to match your topology | -| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Leverage peers-to-peer capability in more downloads | +| Sites with > 30 devices | Minimum file size to cache | 10 MB (or 1 MB) | Use peers-to-peer capability in more downloads | | Large number of mobile devices | Allow uploads on battery power | 60% | Increase # of devices that can upload while limiting battery drain | | Labs with AC-powered devices | Content expiration | 7 (up to 30) days | Leverage devices that can upload more for a longer period | ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies are not set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 6a2cf4f44b..392afbe49b 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.date: 12/31/2017 Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). -To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtain from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 75673f3bad..4e180edeec 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -30,7 +30,7 @@ Two methods of peer-to-peer content distribution are available. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates. -- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, and in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. From b4e26a4421eb34aee9202838ecda2603fb2c8fa0 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 30 Jan 2023 09:38:15 -0700 Subject: [PATCH 12/66] Delay option --- .../deployment/do/waas-delivery-optimization-reference.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index a1e2a540e9..d157cc4cd5 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -59,10 +59,10 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | | [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. | | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | -| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. | -| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, Use this policy to delay the fallback to the HTTP source. | -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For cached content (using Microsoft Connected Cache) Use this policy to delay the fallback to the HTTP source. | -| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For cached content (using Microsoft Connected Cache).| +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source.[Learn more](#delay-options) about the different delay options. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options.| | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | From 673966f17ce2d844ee4d8d5140df7df957eca641 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 30 Jan 2023 14:42:26 -0700 Subject: [PATCH 13/66] Addressed feedback --- .../do/waas-delivery-optimization-reference.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index d157cc4cd5..57c4c8f3ef 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -46,9 +46,6 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Absolute max cache size (in GBs)](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | Default value is 10 GB.| | [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | | [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. | -| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | -| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004; use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | -| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500 KB/s. | | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | @@ -61,10 +58,13 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | | [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options. | | [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options.| -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source.[Learn more](#delay-options) about the different delay options. | -| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source.[Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | ### More detail on Delivery Optimization settings @@ -98,16 +98,16 @@ More options available that control the impact Delivery Optimization has on your - [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -#### Delay options +#### Policies to prioritize the use of Peer-to-Peer and Cache Server sources -There are four settings that allow you to control the default behavior and delay access to the HTTP source. The goal of these settings is to provide fine tuning to a particular network's needs to potentially increase the success rate of pulling content from local sources (either from peer or Microsoft Connected Cache). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. However, the following delay settings can be used to alter this behavior. +When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior. -##### Peer-to-peer delay settings +##### Peer-to-peer delay fallback settings - [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. -##### Microsoft Connected Cache (MCC) delay settings +##### Microsoft Connected Cache (MCC) delay fallback settings - [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use a cache server. - [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use a cache server. From 89aa7cb96775d0eee2ddf543718ceb66e1004a2a Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 30 Jan 2023 14:52:49 -0700 Subject: [PATCH 14/66] Fix link --- .../deployment/do/waas-delivery-optimization-reference.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 57c4c8f3ef..90d7584254 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -56,9 +56,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 | Default is '0' which will dynamically adjust. | | [Set hours to limit background download bandwidth](#set-business-hours-to-limit-background-download-bandwidth) | DOSetHoursToLimitBackgroundDownloadBandwidth | 1803 | Default isn't set. | | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | -| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options. | -| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#delay-options) about the different delay options.| -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source.[Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | +| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | | [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | From cba0f67beeae8c559d9d5aae2ed58e152ca8473c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 31 Jan 2023 10:41:44 -0700 Subject: [PATCH 15/66] Improvements to accuracy and consistency --- .../do/waas-delivery-optimization-reference.md | 14 ++++++-------- .../deployment/do/waas-delivery-optimization.md | 2 +- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 90d7584254..de02622be1 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -47,7 +47,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Modify cache drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | Default to the operating system drive through the %SYSTEMDRIVE% environment variable. | | [Minimum peer caching content file size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | Default file size is 50 MB. | | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | -| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Default value is 500 KB/s. | +| [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. | | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | @@ -62,9 +62,9 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | Default is it has no value. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | Default is it has no value. | -| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | -| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (removed in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | -| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (removed in Windows 10, version 2004) | Default is '0' (unlimited). | +| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Percentage of maximum download bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | +| [Maximum upload bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 (deprecated in Windows 10, version 2004) | Default is '0' (unlimited). | ### More detail on Delivery Optimization settings @@ -88,15 +88,13 @@ More options available that control the impact Delivery Optimization has on your - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. -- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. - [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Select a method to restrict Peer Selection](#select-a-method-to-restrict-peer-selection) restricts peer selection by the options you select. - [Select the source of Group IDs](#select-the-source-of-group-ids) restricts peer selection to a specific source. -- [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. -- [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. #### Policies to prioritize the use of Peer-to-Peer and Cache Server sources @@ -253,7 +251,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500 KB/s.** +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from HTTP sources . The lower this value is, the more content will be sourced using peers on the network rather than HTTP sources. The higher this value, the more content is received from HTTP sources, versus peers on the local network. **The default value is 2500 KB/s.** ### Modify Cache Drive diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 392afbe49b..8822848821 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -23,7 +23,7 @@ ms.date: 12/31/2017 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional Internet-based servers. You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. From 8a6870022a509805935de64b34c6867fa8a56dbe Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 1 Feb 2023 11:04:50 -0800 Subject: [PATCH 16/66] fix MicrosoftDocs/windows-itpro-docs#11311 --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index e1b05ae914..505d7188e7 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -112,7 +112,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. -[[DO status](images/UC_workspace_DO_status.png)](images/UC_workspace_DO_status.png#lightbox) +:::image type="content" source="images/UC_workspace_DO_status.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="images/UC_workspace_DO_status.png"::: For details, see [Delivery Optimization in Update Compliance](../update/update-compliance-delivery-optimization.md). From eca3229f1e0fb7c99a54afa76354742c2116d4fb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 8 Feb 2023 11:30:33 -0800 Subject: [PATCH 17/66] diag data edits --- .../update/wufb-reports-prerequisites.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index cbd081c2c7..50612cb4e0 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -49,17 +49,20 @@ Windows Update for Business reports supports Windows client devices on the follo ## Diagnostic data requirements -At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels: +At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + +Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels: - *Optional* level (previously *Full*) for Windows 11 devices - *Enhanced* level for Windows 10 devices - > [!Note] - > Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: - > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) - > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** +Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: -For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + + - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) + - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** + + Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). ## Data transmission requirements From 3dc471638c81d75d88441797a78e57eee2a2656a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 8 Feb 2023 11:37:04 -0800 Subject: [PATCH 18/66] diag data edits --- windows/deployment/update/wufb-reports-prerequisites.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 50612cb4e0..035a903b5a 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -51,9 +51,9 @@ Windows Update for Business reports supports Windows client devices on the follo At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). -Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels: +For some queries, such as Windows 11 eligibility reporting, Windows Update for Business reports requires devices to send diagnostic data at the following levels: -- *Optional* level (previously *Full*) for Windows 11 devices +- *Optional* level for Windows 11 devices (previously *Full*) - *Enhanced* level for Windows 10 devices Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: From 43ab367f346738c86077a72905990050291d334b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 8 Feb 2023 12:54:21 -0800 Subject: [PATCH 19/66] diag data edits --- .../deployment/update/wufb-reports-configuration-script.md | 6 +----- windows/deployment/update/wufb-reports-help.md | 7 +------ 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 784ab095bd..a521c8c546 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -43,10 +43,6 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 1. If there are issues, gather the logs and provide them to Microsoft Support. -## Verify device configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] ## Script errors diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 378595d1f7..a29bce0bb7 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 02/10/2023 ms.technology: itpro-updates --- @@ -87,11 +87,6 @@ To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedb Use the following troubleshooting tips to resolve the most common problems when using Windows Update for Business reports: -### Verify client configuration - - -[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)] - ### Ensuring devices are configured correctly to send data The first step in troubleshooting Windows Update for Business reports is ensuring that devices are configured. Review [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) for the settings. We recommend using the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) for troubleshooting and configuring devices. From e097b9f1714d560508bcd4a98bad668f8cdcde95 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:18:33 -0800 Subject: [PATCH 20/66] diag data edits --- .../includes/wufb-reports-admin-center-permissions.md | 6 +++--- .../deployment/update/includes/wufb-reports-endpoints.md | 6 +++--- .../update/includes/wufb-reports-onboard-admin-center.md | 6 +++--- .../deployment/update/includes/wufb-reports-recommend.md | 4 ++-- .../update/includes/wufb-reports-script-error-codes.md | 6 +++--- .../includes/wufb-reports-verify-device-configuration.md | 6 +++--- .../update/update-compliance-configuration-script.md | 5 +++-- 7 files changed, 20 insertions(+), 19 deletions(-) diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 3dc65fd476..457b880be1 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index 727f6eec4b..1975275322 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 04/06/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index 4a9b61242e..5bdb86a402 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 94e46ac38f..cb825ba528 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -2,8 +2,8 @@ author: mestew ms.author: mstewart manager: aaroncz -ms.prod: w10 -ms.collection: M365-modern-desktop +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 12/05/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md index 6d4248cbb0..5dc0512de0 100644 --- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md +++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/18/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md index 1b22ab60cd..5eab6c5de8 100644 --- a/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md +++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md @@ -1,9 +1,9 @@ --- author: mestew ms.author: mstewart -manager: dougeby -ms.prod: w10 -ms.collection: M365-modern-desktop +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client ms.topic: include ms.date: 08/10/2022 ms.localizationpriority: medium diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 2d8e1183db..2e2c5100e7 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -53,6 +53,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru [!INCLUDE [Update Compliance script error codes](./includes/wufb-reports-script-error-codes.md)] ## Verify device configuration - -[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)]: + + +[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)] From fa98990ab523ab4ff3c0d902341046fe65eb1b36 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 8 Feb 2023 15:11:58 -0800 Subject: [PATCH 21/66] diag data edits --- windows/deployment/update/includes/wufb-reports-recommend.md | 3 ++- windows/deployment/update/update-compliance-privacy.md | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index cb825ba528..cd8a433ab6 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -11,4 +11,5 @@ ms.localizationpriority: medium > [!Important] -> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). +> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/deployment/update/windows-diagnostic-data-processor-changes). diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 72b284c0c6..c99c4f7dc8 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -17,6 +17,10 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 + +[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)] + + Update Compliance is fully committed to privacy, centering on these tenets: - **Transparency:** Windows client diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details). From a3ec41cab09b6db105465e7dc18c89ddbb7e01ad Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 9 Feb 2023 15:29:25 -0800 Subject: [PATCH 22/66] revise warning --- .../includes/microsoft-365-ie-end-of-support.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 912ce707bd..3a2d3f0a8f 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -1,7 +1,7 @@ --- author: aczechowski ms.author: aaroncz -ms.date: 12/16/2022 +ms.date: 02/14/2023 ms.reviewer: cathask manager: aaroncz ms.prod: ie11 @@ -9,8 +9,4 @@ ms.topic: include --- > [!WARNING] -> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023. -> -> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption. -> -> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). +> **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). From d8afcbc46a3dfdf93349d93d028385348d9c9dd1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 9 Feb 2023 15:39:08 -0800 Subject: [PATCH 23/66] switch to caution --- .../includes/microsoft-365-ie-end-of-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md index 3a2d3f0a8f..2ba0956295 100644 --- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md +++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md @@ -8,5 +8,5 @@ ms.prod: ie11 ms.topic: include --- -> [!WARNING] +> [!CAUTION] > **Update:** The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq). From 76d08a51ca167afe834be2e46f6cc97af34439ef Mon Sep 17 00:00:00 2001 From: noamhadash <101192108+noamhadash@users.noreply.github.com> Date: Sun, 12 Feb 2023 10:03:47 +0200 Subject: [PATCH 24/66] Update windowsadvancedthreatprotection-csp.md introducing a new settings in the "Configuration" branch of WDATP branch which will be populated by the Intune agent. updated all elements in the doc per the planned update --- .../mdm/windowsadvancedthreatprotection-csp.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 917d96da7b..c2440b73fd 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -40,6 +40,7 @@ WindowsAdvancedThreatProtection ----Configuration --------SampleSharing --------TelemetryReportingFrequency +--------AadDdeviceId ----Offboarding ----DeviceTagging --------Group @@ -113,6 +114,11 @@ The following list shows the supported values: Supported operations are Get and Replace. +**Configuration/AadDeviceId** +Returns or sets the Intune's reported known AadDeviceId for the machine + +Supported operations are Get and Replace. + **Offboarding** Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. @@ -217,6 +223,16 @@ Supported operations are Get and Replace. + + 7 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/AadDeviceId + + + + 11 From ed14fb46e858ca7206f960490c1adba60b802335 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 10:39:43 -0800 Subject: [PATCH 25/66] revise and add 7600331 note --- windows/whats-new/windows-11-requirements.md | 113 +++++++++++-------- 1 file changed, 69 insertions(+), 44 deletions(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 4a63cc1f7c..3ad360f671 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,16 +1,15 @@ --- title: Windows 11 requirements -description: Hardware requirements to deploy Windows 11 +description: Hardware requirements to deploy Windows 11. manager: aaroncz author: mestew ms.author: mstewart ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 02/13/2023 --- # Windows 11 requirements @@ -19,51 +18,63 @@ ms.date: 12/31/2017 - Windows 11 -This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). +This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). ## Hardware requirements To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). -- RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows 11. - - Extra storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. -- System firmware: UEFI, Secure Boot capable. -- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). +- **Processor**: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](/windows-hardware/design/minimum/windows-processor-requirements) or system on a chip (SoC). -Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +- **Memory**: 4 gigabytes (GB) or greater. -For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). +- **Storage**: 64 GB [Note 1](#bkmk_note1) or greater available disk space. -## Operating system requirements +- **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. + +- **System firmware**: UEFI, Secure Boot capable. + +- **TPM**: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. + +- **Display**: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. + +- **Internet connection**: Internet connectivity is necessary to perform updates, and to download and use some features. + + - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. + + + +> [!NOTE] +> **Note 1: Storage** +> There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). + +For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). + +For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). + +## OS requirements Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11. > [!NOTE] -> S mode is only supported on the Home edition of Windows 11. -> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
-> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> +> - S mode is only supported on the Home edition of Windows 11. +> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode). +> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later. ## Feature-specific requirements -Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond the minimum [hardware requirements](#hardware-requirements). - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. -- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and greater. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output). - **Multiple Voice Assistant**: requires a microphone and speaker. - **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. @@ -76,35 +87,49 @@ Some features in Windows 11 have requirements beyond those requirements listed a - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live *Countries and Regions* page for the most up-to-date information on availability. Some features in the Xbox app require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Virtual machine support -The following configuration requirements apply to VMs running Windows 11. +The following configuration requirements apply to VMs running Windows 11. -- Generation: 2 \* -- Storage: 64 GB or greater -- Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - - General settings: Secure boot capable, virtual TPM enabled -- Memory: 4 GB or greater -- Processor: Two or more virtual processors +- **Generation**: 2 [Note 2](#bkmk_note2) -The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). +- **Storage**: 64 GB or greater disk space. -\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. +- **Security**: + + - **Azure**: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled. + - **Hyper-V**: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager). + + - General settings: Secure boot capable, virtual TPM enabled. + +- **Memory**: 4 GB or greater. + +- **Processor**: Two or more virtual processors. + + - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). [Note 3](#bkmk_note2) + + Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. + + > [!NOTE] -> Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. +> **Note 2: VM generation** +> In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. + + + +> [!NOTE] +> **Note 3: VM host processor** +> There may be some instances where this requirement for the VM host doesn't apply. For more information, see [SMC article title TBD](https://support.microsoft.com). ## Next steps -[Plan for Windows 11](windows-11-plan.md)
-[Prepare for Windows 11](windows-11-prepare.md) +- [Plan for Windows 11](windows-11-plan.md) +- [Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
-[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview) - +- [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [What's new in Windows 11 overview](/windows/whats-new/windows-11-overview) From 28d92b552261cd01b9307fab1ce23b434ae8da5d Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 10:57:48 -0800 Subject: [PATCH 26/66] revise notes --- windows/whats-new/windows-11-requirements.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 3ad360f671..983b9c9fb9 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -46,6 +46,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har > [!NOTE] > **Note 1: Storage** +> > There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). @@ -116,12 +117,14 @@ The following configuration requirements apply to VMs running Windows 11. > [!NOTE] > **Note 2: VM generation** +> > In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. > [!NOTE] > **Note 3: VM host processor** +> > There may be some instances where this requirement for the VM host doesn't apply. For more information, see [SMC article title TBD](https://support.microsoft.com). ## Next steps From 3f563591a6c0b7a0493a6c38aec6d87e14d69430 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 11:17:25 -0800 Subject: [PATCH 27/66] fix dupe heading --- ...-the-application-user-model-id-of-an-installed-app.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 6ff2246977..2a9bbd1494 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -41,7 +41,7 @@ foreach ($app in $installedapps) $aumidList ``` -You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. +You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. ## To find the AUMID by using File Explorer @@ -63,7 +63,7 @@ At a command prompt, type the following command: `reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` -## Example +### Example to get AUMIDs of the installed apps for the specified user The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. @@ -105,14 +105,14 @@ The following Windows PowerShell commands demonstrate how you can call the listA # Get a list of AUMIDs for the current account: listAumids -# Get a list of AUMIDs for an account named “CustomerAccount”: +# Get a list of AUMIDs for an account named "CustomerAccount": listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` -## Example +### Example to get the AUMID of any application in the Start menu The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. @@ -148,4 +148,3 @@ Get-AppAUMID -AppName Word # List all apps and their AUMID in the Start menu Get-AppAUMID ``` - From 071d91b7c714c26a6f7e36176d16f5d927ead077 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 11:36:26 -0800 Subject: [PATCH 28/66] add tier for highpri articles --- .../configure-windows-10-taskbar.md | 10 +++++----- .../customize-and-export-start-layout.md | 19 ++++++++++--------- .../customize-start-menu-layout-windows-11.md | 4 +++- .../customize-taskbar-windows-11.md | 6 ++++-- ...-10-start-screens-by-using-group-policy.md | 6 ++++-- ...ation-user-model-id-of-an-installed-app.md | 4 +++- .../guidelines-for-assigned-access-app.md | 13 ++++++------- windows/configuration/index.yml | 3 ++- windows/configuration/kiosk-single-app.md | 8 +++++--- .../lock-down-windows-10-to-specific-apps.md | 12 +++++++----- .../provisioning-install-icd.md | 8 +++++--- .../provisioning-packages.md | 8 +++++--- ...op-employees-from-using-microsoft-store.md | 6 ++++-- ...ws-10-start-layout-options-and-policies.md | 10 ++++++---- windows/configuration/windows-spotlight.md | 10 ++++++---- 15 files changed, 75 insertions(+), 52 deletions(-) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index a90fd2bb19..cbdc9361aa 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,10 +1,7 @@ --- -title: Configure Windows 10 taskbar (Windows 10) +title: Configure Windows 10 taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: [taskbar layout, pin apps] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.author: lizlong ms.topic: article @@ -12,9 +9,12 @@ ms.localizationpriority: medium ms.date: 01/18/2018 ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- + # Configure Windows 10 taskbar Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 77f7406fb8..edd95b2265 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -1,5 +1,5 @@ --- -title: Customize and export Start layout (Windows 10) +title: Customize and export Start layout description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.reviewer: manager: aaroncz @@ -9,20 +9,21 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 09/18/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure --- # Customize and export Start layout - **Applies to** -- Windows 10 +- Windows 10 >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. +The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. @@ -31,7 +32,7 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. >[!NOTE] ->Partial Start layout is only supported on Windows 10, version 1511 and later. +>Partial Start layout is only supported on Windows 10, version 1511 and later. @@ -49,7 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -63,7 +64,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don’t want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then click **Unpin from Start**. - **Drag tiles** on Start to reorder or group apps. @@ -89,7 +90,7 @@ When you have the Start layout that you want your users to see, use the [Export- 2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout –path .xml` + `Export-StartLayout -path .xml` On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index f043da3ecb..0fa0a01630 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -7,7 +7,9 @@ ms.author: lizlong ms.reviewer: ericpapa ms.prod: windows-client ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 01/10/2023 ms.topic: article diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index a630b2ac0b..dfcaee8191 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,5 +1,5 @@ --- -title: Configure and customize Windows 11 taskbar | Microsoft Docs +title: Configure and customize Windows 11 taskbar description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. manager: aaroncz ms.author: lizlong @@ -7,7 +7,9 @@ ms.reviewer: chataylo ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index baffd2a688..40b7d5daac 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) +title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.reviewer: manager: aaroncz @@ -8,7 +8,9 @@ author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 2a9bbd1494..ee9ad89242 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -8,7 +8,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.prod: windows-client -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 48abdda3c1..f1159c1544 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,17 +1,16 @@ --- -title: Guidelines for choosing an app for assigned access (Windows 10/11) +title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: [kiosk, lockdown, assigned access] ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library author: lizgt2000 ms.localizationpriority: medium ms.author: lizlong ms.topic: article ms.reviewer: sybruckm manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- @@ -50,7 +49,7 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. @@ -155,7 +154,7 @@ You can create your own web browser Windows app by using the WebView class. Lear ## Secure your information -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. ## App configuration diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index fe0ebfbafc..2891f614c0 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -10,6 +10,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 3724425208..d48592fdfc 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,6 +1,6 @@ --- -title: Set up a single-app kiosk on Windows 10/11 -description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). +title: Set up a single-app kiosk on Windows +description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm manager: aaroncz ms.author: lizlong @@ -8,7 +8,9 @@ ms.prod: windows-client author: lizgt2000 ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 5e74a0ca9d..800e7781f6 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,9 @@ manager: aaroncz ms.reviewer: sybruckm ms.localizationpriority: medium ms.topic: how-to -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -247,7 +249,7 @@ A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: @@ -284,7 +286,7 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. The following example exposes the taskbar to the end user: @@ -607,7 +609,7 @@ Lock the Taskbar | Enabled Prevent users from adding or removing toolbars | Enabled Prevent users from resizing the taskbar | Enabled Remove frequent programs list from the Start Menu | Enabled -Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled +Remove 'Map Network Drive' and 'Disconnect Network Drive' | Enabled Remove the Security and Maintenance icon | Enabled Turn off all balloon notifications | Enabled Turn off feature advertisement balloon notifications | Enabled @@ -615,7 +617,7 @@ Turn off toast notifications | Enabled Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Remove All Programs list from the Start Menu | Enabled - Remove and disable setting Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index c77e2f658e..8796ceac18 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,14 +1,16 @@ --- -title: Install Windows Configuration Designer (Windows 10/11) +title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4f0004d334..a6fac6c279 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,14 +1,16 @@ --- -title: Provisioning packages overview on Windows 10/11 +title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. -ms.reviewer: gkomatsu +ms.reviewer: kevinsheehan manager: aaroncz ms.prod: windows-client author: lizgt2000 ms.author: lizlong ms.topic: article ms.localizationpriority: medium -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure ms.date: 12/31/2017 --- diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 3ebc98f62f..9d33ff603e 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,5 +1,5 @@ --- -title: Configure access to Microsoft Store (Windows 10) +title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: conceptual ms.localizationpriority: medium ms.date: 11/29/2022 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index eec297b628..a3d8dd29c1 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,5 +1,5 @@ --- -title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs +title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 08/05/2021 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -25,7 +27,7 @@ ms.technology: itpro-configure > > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. @@ -215,7 +217,7 @@ On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: -- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. +- **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. - **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. ## Next steps diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index b9bfa40f0f..33bd24bcc8 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Spotlight on the lock screen (Windows 10) +title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. ms.reviewer: manager: aaroncz @@ -9,7 +9,9 @@ ms.author: lizlong ms.topic: article ms.localizationpriority: medium ms.date: 04/30/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-configure --- @@ -23,7 +25,7 @@ ms.technology: itpro-configure Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. >[!NOTE] @@ -99,4 +101,4 @@ The recommendation for custom lock screen images that include text (such as a le [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) -  + From c212670728cd8ff81c86c2052c233068f00ae863 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 11:38:47 -0800 Subject: [PATCH 29/66] fix blank ms.collection --- windows/configuration/set-up-shared-or-guest-pc.md | 2 +- windows/configuration/shared-devices-concepts.md | 2 +- windows/configuration/shared-pc-technical.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index beda72c25c..41f4968fe9 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md index 19e203f23c..cabee079ab 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-devices-concepts.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md index a84ff0f030..b0d626cff0 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc-technical.md @@ -10,7 +10,7 @@ author: paolomatarazzo ms.author: paoloma ms.reviewer: manager: aaroncz -ms.collection: +ms.collection: tier2 appliesto: - ✅ Windows 10 - ✅ Windows 11 From e5003edf139093cc65dde9d6df5d7ae8e4ba7540 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 11:50:20 -0800 Subject: [PATCH 30/66] set tier1 --- windows/configuration/windows-accessibility-for-ITPros.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md index e019375c50..528e7fcbba 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/windows-accessibility-for-ITPros.md @@ -9,7 +9,8 @@ ms.reviewer: manager: aaroncz ms.localizationpriority: medium ms.date: 09/20/2022 -ms.topic: reference +ms.topic: conceptual +ms.collection: tier1 appliesto: - ✅ Windows 10 - ✅ Windows 11 From 146dc233809ae13fbd16a5c987cbe0f7bfdf664f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 13 Feb 2023 11:55:31 -0800 Subject: [PATCH 31/66] set tier3 --- .../configuration/cortana-at-work/cortana-at-work-feedback.md | 1 + windows/configuration/cortana-at-work/cortana-at-work-o365.md | 1 + .../configuration/cortana-at-work/cortana-at-work-overview.md | 1 + .../cortana-at-work/cortana-at-work-policy-settings.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-1.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-2.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-3.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-4.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-5.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-6.md | 1 + .../configuration/cortana-at-work/cortana-at-work-scenario-7.md | 1 + .../cortana-at-work/cortana-at-work-testing-scenarios.md | 1 + .../cortana-at-work/cortana-at-work-voice-commands.md | 1 + .../cortana-at-work/set-up-and-test-cortana-in-windows-10.md | 1 + windows/configuration/cortana-at-work/test-scenario-1.md | 1 + windows/configuration/cortana-at-work/test-scenario-2.md | 1 + windows/configuration/cortana-at-work/test-scenario-3.md | 1 + windows/configuration/cortana-at-work/test-scenario-4.md | 1 + windows/configuration/cortana-at-work/test-scenario-5.md | 1 + windows/configuration/cortana-at-work/test-scenario-6.md | 1 + .../testing-scenarios-using-cortana-in-business-org.md | 1 + .../uev-administering-uev-with-windows-powershell-and-wmi.md | 1 + windows/configuration/ue-v/uev-administering-uev.md | 1 + .../ue-v/uev-application-template-schema-reference.md | 1 + .../ue-v/uev-changing-the-frequency-of-scheduled-tasks.md | 1 + .../ue-v/uev-configuring-uev-with-group-policy-objects.md | 1 + ...v-configuring-uev-with-system-center-configuration-manager.md | 1 + windows/configuration/ue-v/uev-deploy-required-features.md | 1 + .../configuration/ue-v/uev-deploy-uev-for-custom-applications.md | 1 + windows/configuration/ue-v/uev-for-windows.md | 1 + windows/configuration/ue-v/uev-getting-started.md | 1 + .../ue-v/uev-manage-administrative-backup-and-restore.md | 1 + windows/configuration/ue-v/uev-manage-configurations.md | 1 + ...ttings-location-templates-using-windows-powershell-and-wmi.md | 1 + ...ing-uev-agent-and-packages-with-windows-powershell-and-wmi.md | 1 + windows/configuration/ue-v/uev-migrating-settings-packages.md | 1 + windows/configuration/ue-v/uev-prepare-for-deployment.md | 1 + windows/configuration/ue-v/uev-release-notes-1607.md | 1 + windows/configuration/ue-v/uev-security-considerations.md | 1 + windows/configuration/ue-v/uev-sync-methods.md | 1 + windows/configuration/ue-v/uev-sync-trigger-events.md | 1 + .../ue-v/uev-synchronizing-microsoft-office-with-uev.md | 1 + windows/configuration/ue-v/uev-technical-reference.md | 1 + windows/configuration/ue-v/uev-troubleshooting.md | 1 + .../configuration/ue-v/uev-upgrade-uev-from-previous-releases.md | 1 + ...uev-using-uev-with-application-virtualization-applications.md | 1 + windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md | 1 + .../uev-working-with-custom-templates-and-the-uev-generator.md | 1 + 48 files changed, 48 insertions(+) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index c40796bd2a..78ad0b03f2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -2,6 +2,7 @@ title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index ad09a7c543..399384fb32 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,7 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: windows-client +ms.collection: tier3 ms.mktglfcycl: manage ms.sitesec: library author: aczechowski diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 39e709ad20..cd9bc813a9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 90543d9202..0071761fd5 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -2,6 +2,7 @@ title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 71800954eb..0cf1df4390 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -2,6 +2,7 @@ title: Sign into Azure AD, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index d31430c312..4ba46b4d36 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -2,6 +2,7 @@ title: Perform a quick search with Cortana at work (Windows) description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 48b5bfd328..b2202a902d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -2,6 +2,7 @@ title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 0ce5972f23..fcad450ae3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 0111aba809..94c1edabe4 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send email to a co-worker (Windows) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index a6c2d4c3bb..54a1064afb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -2,6 +2,7 @@ title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index e8caaf8cf3..a69e0078ff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -2,6 +2,7 @@ title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 19dce90d45..63c801e46b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -2,6 +2,7 @@ title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 26f401808e..ec1abf4d96 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -2,6 +2,7 @@ title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 9f38750042..b089b30590 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index c3456c0ae6..76496df719 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -2,6 +2,7 @@ title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index 2a7d33cdbf..c6a2efd05f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -2,6 +2,7 @@ title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index 1724baee87..468c4060cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -2,6 +2,7 @@ title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 8cad2a9dab..d1e98c4409 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -2,6 +2,7 @@ title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index d3b93dd8a0..fcb33530cc 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -2,6 +2,7 @@ title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index fbd5290713..1090b25b3f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -2,6 +2,7 @@ title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 701b2f4f58..5f71bbdcec 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -2,6 +2,7 @@ title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: windows-client +ms.collection: tier3 author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index b72c7c7f8d..852b3e4500 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index ba28b638f1..b4bfc496ca 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -3,6 +3,7 @@ title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index e33519a625..a26af56567 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -3,6 +3,7 @@ title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 627c8b1414..d6cb847dc1 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -3,6 +3,7 @@ title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 9367276244..5942fc45be 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 2f4dadd57a..60273009e8 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -3,6 +3,7 @@ title: Configuring UE-V with Microsoft Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index f58d68f203..479a729676 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -3,6 +3,7 @@ title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 901c9451d1..1d05d369d0 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -3,6 +3,7 @@ title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 8eb556d6e4..f1604d6359 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -3,6 +3,7 @@ title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 05/02/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 825c7597c7..36ce63717c 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -3,6 +3,7 @@ title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 03/08/2018 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 9f62707fab..22bf076b54 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -3,6 +3,7 @@ title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 6f44c3f7ea..1e594846ab 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -3,6 +3,7 @@ title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 1ec2b72325..04dae12024 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WM description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index f6f4e14585..4d07a6a09a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -3,6 +3,7 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 39539183ca..9c3cebd1a1 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -3,6 +3,7 @@ title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 39acddadd3..5e13281dc1 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -3,6 +3,7 @@ title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index b68e1eb3fe..47dfe6e7e7 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -3,6 +3,7 @@ title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index 4029c2a043..a91444675f 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -3,6 +3,7 @@ title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index ddd0e4181c..7d1eeeccb0 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -3,6 +3,7 @@ title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 6ffa1e76ff..b9571cdf2a 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -3,6 +3,7 @@ title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 20bedf9737..7851418fe8 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -3,6 +3,7 @@ title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index 1050b221b6..9d161c1889 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -3,6 +3,7 @@ title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index d5be7f7710..d2a350b63d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -3,6 +3,7 @@ title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 5f5127f7ea..78cfb2f9c0 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -3,6 +3,7 @@ title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 951c1b4ff0..5d02d042ce 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -3,6 +3,7 @@ title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index facd3330f3..157f473f1f 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -3,6 +3,7 @@ title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index 0eaaa0f658..827c6ad3ff 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -3,6 +3,7 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski ms.prod: windows-client +ms.collection: tier3 ms.date: 04/19/2017 ms.reviewer: manager: dougeby From f639960d8fe106dcf5e322c3784fb16465ca7a9b Mon Sep 17 00:00:00 2001 From: Martin Date: Mon, 13 Feb 2023 22:26:13 +0100 Subject: [PATCH 32/66] Clarification on GPO effect on restrictedAdmin My testing shows that Restricted Admin mode cannot be enforced with "mstsc.exe /remoteAdmin" when "Restrict Credential Delegation" is enabled. I had previously assumed this but it seems not to be the case. A clarification would be useful for others. --- windows/security/identity-protection/remote-credential-guard.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index eb1922b3a8..713651da1e 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,6 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > When **Restrict Credential Delegation** is enabled the /restrictedAdmin switch has no effect; consequently, Windows Defender Remote Credential Guard will be preferred. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. From 25cf9c63e199afe5368355885e9332bfb64772df Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 13 Feb 2023 18:07:41 -0500 Subject: [PATCH 33/66] Update windows/security/identity-protection/remote-credential-guard.md Co-authored-by: mapalko <20977663+mapalko@users.noreply.github.com> --- windows/security/identity-protection/remote-credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 713651da1e..2876ab9e18 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -156,7 +156,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C > [!NOTE] > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - > When **Restrict Credential Delegation** is enabled the /restrictedAdmin switch has no effect; consequently, Windows Defender Remote Credential Guard will be preferred. + > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard. - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. From e571dd72414f751c55858ec76568339bf0cb213f Mon Sep 17 00:00:00 2001 From: noamhadash <101192108+noamhadash@users.noreply.github.com> Date: Tue, 14 Feb 2023 07:51:51 +0200 Subject: [PATCH 34/66] removed HTML bookmarks; replaced with markdowns --- .../windowsadvancedthreatprotection-csp.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c2440b73fd..fc74d86711 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -49,34 +49,34 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. -**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** +**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** The root node for the Windows Defender Advanced Threat Protection configuration service provider. Supported operation is Get. -**Onboarding** +**Onboarding** Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**HealthState** +**HealthState** Node that represents the Windows Defender Advanced Threat Protection health state. -**HealthState/LastConnected** +**HealthState/LastConnected** Contains the timestamp of the last successful connection. Supported operation is Get. -**HealthState/SenseIsRunning** +**HealthState/SenseIsRunning** Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. The default value is false. Supported operation is Get. -**HealthState/OnboardingState** +**HealthState/OnboardingState** Represents the onboarding state. Supported operation is Get. @@ -86,15 +86,15 @@ The following list shows the supported values: - 0 (default) – Not onboarded - 1 – Onboarded -**HealthState/OrgId** +**HealthState/OrgId** String that represents the OrgID. Supported operation is Get. -**Configuration** +**Configuration** Represents Windows Defender Advanced Threat Protection configuration. -**Configuration/SampleSharing** +**Configuration/SampleSharing** Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. The following list shows the supported values: @@ -104,7 +104,7 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Configuration/TelemetryReportingFrequency** +**Configuration/TelemetryReportingFrequency** Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. The following list shows the supported values: @@ -114,31 +114,31 @@ The following list shows the supported values: Supported operations are Get and Replace. -**Configuration/AadDeviceId** +**Configuration/AadDeviceId** Returns or sets the Intune's reported known AadDeviceId for the machine Supported operations are Get and Replace. -**Offboarding** +**Offboarding** Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging** +**DeviceTagging** Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. Supported operation is Get. -**DeviceTagging/Group** +**DeviceTagging/Group** Added in Windows 10, version 1709. Device group identifiers. The data type is a string. Supported operations are Get and Replace. -**DeviceTagging/Criticality** +**DeviceTagging/Criticality** Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal From 00ef75cd3972ffad5c09095e724a18ec16ad58d1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 14 Feb 2023 10:47:11 -0800 Subject: [PATCH 35/66] add link, revise notes --- windows/whats-new/windows-11-requirements.md | 36 +++++++------------- 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 983b9c9fb9..3c6653f5b0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -28,7 +28,10 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - **Memory**: 4 gigabytes (GB) or greater. -- **Storage**: 64 GB [Note 1](#bkmk_note1) or greater available disk space. +- **Storage**: 64 GB or greater available disk space. + + > [!NOTE] + > There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). - **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. @@ -42,13 +45,6 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. - - -> [!NOTE] -> **Note 1: Storage** -> -> There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). - For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). @@ -94,7 +90,10 @@ Some features in Windows 11 have requirements beyond the minimum [hardware requi The following configuration requirements apply to VMs running Windows 11. -- **Generation**: 2 [Note 2](#bkmk_note2) +- **Generation**: 2 + + > [!NOTE] + > In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. - **Storage**: 64 GB or greater disk space. @@ -109,23 +108,12 @@ The following configuration requirements apply to VMs running Windows 11. - **Processor**: Two or more virtual processors. - - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). [Note 3](#bkmk_note2) + - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). - Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. + > [!NOTE] + > There may be some instances where this requirement for the VM host doesn't apply. For more information, see [Options for using Windows 11 with Mac computers](https://support.microsoft.com/topic/cd15fd62-9b34-4b78-b0bc-121baa3c568c). - - -> [!NOTE] -> **Note 2: VM generation** -> -> In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. - - - -> [!NOTE] -> **Note 3: VM host processor** -> -> There may be some instances where this requirement for the VM host doesn't apply. For more information, see [SMC article title TBD](https://support.microsoft.com). + - Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. ## Next steps From 211cddd5580fcc8ae662054f5ff38d32645640d8 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Feb 2023 11:08:50 -0800 Subject: [PATCH 36/66] add policy considerations include --- .../wufb-deployment-policy-considerations.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 windows/deployment/update/includes/wufb-deployment-policy-considerations.md diff --git a/windows/deployment/update/includes/wufb-deployment-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-policy-considerations.md new file mode 100644 index 0000000000..d94f08d213 --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-policy-considerations.md @@ -0,0 +1,21 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +## Policy considerations + +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure policies to fit their needs. For instance, they may want to review applicable driver content, but not approve it for install through the deployment service. Configuring this sort of behavior can be useful, especially when transitioning driver update management due to changing organizational needs. + +| Policy | Behavior | +|---|---| +| + + From 8b50acfd07fc8a1ac1aab6cc566dfa6dea1eafe9 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Feb 2023 11:11:14 -0800 Subject: [PATCH 37/66] add camera to redir for msdt --- windows/whats-new/deprecated-features-resources.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index 419a147e00..e2f67c9051 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -1,7 +1,7 @@ --- title: Resources for deprecated features in the Windows client description: Resources and details for deprecated features in the Windows Client. -ms.date: 12/10/2022 +ms.date: 02/14/2023 ms.prod: windows-client ms.technology: itpro-fundamentals ms.localizationpriority: medium @@ -33,6 +33,7 @@ The following troubleshooters will automatically be redirected when you access t - Background Intelligent Transfer Service (BITS) - Bluetooth +- Camera - Internet Connections - Network Adapter - Playing Audio From d89e6dca6170db8eeb65aa6162c72a8da29bf870 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Feb 2023 11:51:00 -0800 Subject: [PATCH 38/66] eudb kb edit --- windows/deployment/update/wufb-reports-prerequisites.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 7a74c64cb4..ace317b4e1 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 02/10/2023 +ms.date: 02/14/2023 ms.technology: itpro-updates --- @@ -49,6 +49,10 @@ Windows Update for Business reports supports Windows client devices on the follo - General Availability Channel - Windows Update for Business reports *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them. +### Windows operating system updates + +- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended + ## Diagnostic data requirements At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). From 9517a3a6159f48d175e387defedbdd3ed9f7f3ac Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 14:29:31 -0700 Subject: [PATCH 39/66] Addressed feedback --- .../do/waas-delivery-optimization-reference.md | 12 +++++++----- .../do/waas-delivery-optimization-setup.md | 9 ++++++++- .../do/waas-delivery-optimization.md | 18 ++++++++++++++---- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index de02622be1..d1b0a664af 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -85,9 +85,10 @@ All cached files have to be above a set minimum size. This size is automatically More options available that control the impact Delivery Optimization has on your network include the following: -- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. -- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. -- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. +- [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) to control the amount of bandwidth for downloading in the background in KB/s. +- [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) to control the amount of bandwidth for downloading in the foreground in KB/s. +- | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) to control the amount of bandwidth for downloading in the foreground based on percentage. +| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) to control the amount of bandwidth for downloading in the background based on percentage. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. - [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. @@ -132,10 +133,11 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) |Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | +|Bypass (100) | This option is deprecated starting in Windows 11. +If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. > [!NOTE] -> Starting in Windows 11, the Bypass option of Download Mode is no longer used. +> Starting in Windows 11, the Bypass option of Download Mode is deprecated. > > [!NOTE] > When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 505d7188e7..554a5d50f3 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -31,6 +31,13 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat **Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. +## Allow service endpoints + +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). + +[Delivery Optimization Frequently Asked Questions](waas-delivery-optimization-faq.yml). + + ## Allow content endpoints When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). @@ -72,7 +79,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. -To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. +To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 8822848821..26649c20f0 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -21,11 +21,21 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [Download Center for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is an HTTP downloader with a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network and/or a caching server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization with [Windows Update](../update/how-windows-update-works.md), Windows Server Update Services (WSUS), [Microsoft Intune/Windows Update for Business](/mem/intune/configuration/delivery-optimization-windows), or [Microsoft Configuration Manager](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#windows-delivery-optimization) (when installation of Express Updates is enabled). +Win 11 22H2 -To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. +Download Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2) from Official Microsoft Download Center + +Win 10 22H2 + +Download Group Policy Settings Reference Spreadsheet for Windows 10 2022 Update (22H2) from Official Microsoft Download Center + +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. + +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content. + +You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). For information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization](waas-delivery-optimization-setup.md). For a comprehensive list of all Delivery Optimization settings, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). @@ -60,7 +70,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | -| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | +| MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server From 2370df3e727efa429a548c75d7ac8b7c59991b40 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 14:41:02 -0700 Subject: [PATCH 40/66] Left over text needed removed. --- windows/deployment/do/waas-delivery-optimization.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 26649c20f0..a2454bdea4 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -23,14 +23,6 @@ ms.date: 12/31/2017 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [Download Center for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -Win 11 22H2 - -Download Group Policy Settings Reference Spreadsheet for Windows 11 2022 Update (22H2) from Official Microsoft Download Center - -Win 10 22H2 - -Download Group Policy Settings Reference Spreadsheet for Windows 10 2022 Update (22H2) from Official Microsoft Download Center - Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content. From bde4e8f60d24ada603aa7e5cf0569ff4b2c488e6 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 14:47:50 -0700 Subject: [PATCH 41/66] More changes --- .../deployment/do/waas-delivery-optimization-reference.md | 2 +- windows/deployment/do/waas-delivery-optimization-setup.md | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index d1b0a664af..f246e2c497 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -20,7 +20,7 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=103506). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [Download Center for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md). diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 554a5d50f3..816c3af0d7 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -35,13 +35,14 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). -[Delivery Optimization Frequently Asked Questions](waas-delivery-optimization-faq.yml). - - ## Allow content endpoints When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). +## Frequently Asked Questions + +See [Delivery Optimization Frequently Asked Questions](waas-delivery-optimization-faq.yml) for other commonly asked questions related to Delivery Optimization. + ## Recommended Delivery Optimization settings Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). From 9e32a7a7790d74fe029642890b4974b45246d9e4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:40:31 -0800 Subject: [PATCH 42/66] driver-policy-edit --- .../update/deployment-service-drivers.md | 5 +++++ .../deployment-service-prerequisites.md | 6 ++++++ .../update/deployment-service-troubleshoot.md | 5 +++++ ...deployment-driver-policy-considerations.md | 18 ++++++++++++++++ .../wufb-deployment-policy-considerations.md | 21 ------------------- windows/deployment/update/waas-wu-settings.md | 2 +- .../update/waas-wufb-group-policy.md | 2 +- 7 files changed, 36 insertions(+), 23 deletions(-) create mode 100644 windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md delete mode 100644 windows/deployment/update/includes/wufb-deployment-policy-considerations.md diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md index cb9c80bdd4..2063dfd073 100644 --- a/windows/deployment/update/deployment-service-drivers.md +++ b/windows/deployment/update/deployment-service-drivers.md @@ -330,3 +330,8 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c [!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] \ No newline at end of file diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md index 40b91b4b9f..8a35986ded 100644 --- a/windows/deployment/update/deployment-service-prerequisites.md +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -91,6 +91,12 @@ When you use [Windows Update for Business reports](wufb-reports-overview.md) in [!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)] +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] + + ## General tips for the deployment service Follow these suggestions for the best results with the service: diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index de2a896cad..f6be148c37 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -54,3 +54,8 @@ While expedite update deployments will override an update deferral for the updat [!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md new file mode 100644 index 0000000000..0e01d0543b --- /dev/null +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -0,0 +1,18 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.technology: itpro-updates +ms.prod: windows-client +ms.topic: include +ms.date: 02/14/2023 +ms.localizationpriority: medium +--- + + +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following table describes driver related update policies that can affect deployments through the deployment service: + +| Description of policies | Locations | Behavior with the deployment service| +|---|---|---| +| Policies that exclude drivers from Windows Update for a device | - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled`
- **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1`
- **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1`
- **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` | Devices that are enrolled for **drivers** and added to an audience though the deployment service:

- Won't install drivers that are approved from the deployment service
- Will display the applicable driver content in the deployment service | +| Policies that define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS)| - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update`
- **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source
- **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1`
- **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. | Devices that are enrolled for **drivers** and added to an audience though the deployment service:

- Will display the applicable driver content in the deployment service
- Will install drivers that are approved from the deployment service | diff --git a/windows/deployment/update/includes/wufb-deployment-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-policy-considerations.md deleted file mode 100644 index d94f08d213..0000000000 --- a/windows/deployment/update/includes/wufb-deployment-policy-considerations.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -author: mestew -ms.author: mstewart -manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client -ms.topic: include -ms.date: 02/14/2023 -ms.localizationpriority: medium ---- - - -## Policy considerations - -It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure policies to fit their needs. For instance, they may want to review applicable driver content, but not approve it for install through the deployment service. Configuring this sort of behavior can be useful, especially when transitioning driver update management due to changing organizational needs. - -| Policy | Behavior | -|---|---| -| - - diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 6bcdbc9cde..a0c68c2f09 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -142,7 +142,7 @@ To add more flexibility to the update process, settings are available to control [Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates. -### Do not include drivers with Windows Updates +### Do not include drivers with Windows Updates Allows admins to exclude Windows Update drivers during updates. diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 286ed2119c..3a9b231764 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -71,7 +71,7 @@ Drivers are automatically enabled because they are beneficial to device systems. We also recommend that you allow Microsoft product updates as discussed previously. ### Set when devices receive feature and quality updates - + #### I want to receive pre-release versions of the next feature update 1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. From 151de96be08a48e27596b8be4f59e3c9c1637a18 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:45:01 -0800 Subject: [PATCH 43/66] remove added spaces --- windows/deployment/update/waas-wu-settings.md | 2 +- windows/deployment/update/waas-wufb-group-policy.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index a0c68c2f09..6bcdbc9cde 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -142,7 +142,7 @@ To add more flexibility to the update process, settings are available to control [Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates. -### Do not include drivers with Windows Updates +### Do not include drivers with Windows Updates Allows admins to exclude Windows Update drivers during updates. diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 3a9b231764..286ed2119c 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -71,7 +71,7 @@ Drivers are automatically enabled because they are beneficial to device systems. We also recommend that you allow Microsoft product updates as discussed previously. ### Set when devices receive feature and quality updates - + #### I want to receive pre-release versions of the next feature update 1. Ensure that you are enrolled in the Windows Insider Program for Business. This is a completely free program available to commercial customers to aid them in their validation of feature updates before they are released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates. From 6c518b36bad0ffc8f61a64dd2d4bca2ca069c011 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 19:51:02 -0700 Subject: [PATCH 44/66] Updates --- .../deployment/do/waas-delivery-optimization-reference.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index f246e2c497..99a09d3aad 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -85,12 +85,8 @@ All cached files have to be above a set minimum size. This size is automatically More options available that control the impact Delivery Optimization has on your network include the following: -- [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) to control the amount of bandwidth for downloading in the background in KB/s. -- [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) to control the amount of bandwidth for downloading in the foreground in KB/s. -- | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) to control the amount of bandwidth for downloading in the foreground based on percentage. -| [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) to control the amount of bandwidth for downloading in the background based on percentage. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This setting adjusts the amount of data downloaded directly from HTTP sources, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the **maximum foreground download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth*hat Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the **maximum background download bandwidth** that Delivery Optimization uses, across all concurrent download activities, as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. From 845a7a9b7ab05e88a2d2a11b4bc33fc532981952 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 20:24:51 -0700 Subject: [PATCH 45/66] updates --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 816c3af0d7..79fd917495 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -33,7 +33,7 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat ## Allow service endpoints -When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). ## Allow content endpoints From b00b99131d3bfe6cff88abf57d34baaab48edf77 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 14 Feb 2023 20:25:06 -0700 Subject: [PATCH 46/66] updates --- .../deployment/do/waas-delivery-optimization-reference.md | 4 ++-- windows/deployment/do/waas-optimize-windows-10-updates.md | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 99a09d3aad..249d31f498 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -129,8 +129,8 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | This option is deprecated starting in Windows 11. -If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. +| Bypass (100) | This option is deprecated starting in Windows 11. +If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. | > [!NOTE] > Starting in Windows 11, the Bypass option of Download Mode is deprecated. diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 4e180edeec..9253808ee6 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -14,11 +14,10 @@ ms.date: 12/31/2017 # Optimize Windows update delivery - **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) @@ -57,6 +56,7 @@ Windows client quality update downloads can be large because every package conta > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express + - **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** @@ -67,6 +67,7 @@ Windows client quality update downloads can be large because every package conta ### How Express download works For OS updates that support Express, there are two versions of the file payload stored on the service: + 1. **Full-file version** - essentially replacing the local versions of the update binaries. 2. **Express version** - containing the deltas needed to patch the existing binaries on the device. From 04bdb48ca535f645c426736a39a00901b0d001c5 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 07:51:43 -0700 Subject: [PATCH 47/66] updates --- .../do/waas-delivery-optimization-reference.md | 3 +-- .../do/waas-delivery-optimization-setup.md | 12 ++++-------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 249d31f498..42fb81e8c7 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -129,8 +129,7 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -| Bypass (100) | This option is deprecated starting in Windows 11. -If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. | +| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesn’t have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. | > [!NOTE] > Starting in Windows 11, the Bypass option of Download Mode is deprecated. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 79fd917495..fa24d764d1 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -39,10 +39,6 @@ When using a firewall, it's important that the Delivery Optimization Service end When using a firewall, it's important that the content endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). -## Frequently Asked Questions - -See [Delivery Optimization Frequently Asked Questions](waas-delivery-optimization-faq.yml) for other commonly asked questions related to Delivery Optimization. - ## Recommended Delivery Optimization settings Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). @@ -116,13 +112,13 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza [!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] -### Monitor with Update Compliance +### Monitor with Windows Update for Business Delivery Optimization Report -Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -:::image type="content" source="images/UC_workspace_DO_status.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="images/UC_workspace_DO_status.png"::: +:::image type="content" source="images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="images/wufb-do-overview.png"::: -For details, see [Delivery Optimization in Update Compliance](../update/update-compliance-delivery-optimization.md). +For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). ## Troubleshooting From 8c1692ad77fb58d23ee2585bff807c4229117053 Mon Sep 17 00:00:00 2001 From: ne8801 <74689443+ne8801@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:25:48 -0600 Subject: [PATCH 48/66] Update wufb-deployment-find-device-name-graph-explorer.md Fixed typos in examples. --- .../wufb-deployment-find-device-name-graph-explorer.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md index 03e32e5950..b2f438598f 100644 --- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md @@ -21,7 +21,7 @@ Use the [device](/graph/api/resources/device) resource type to find clients to e - Displays the **AzureAD Device ID** and **Name** for devices that have a name starting with `Test`: ```msgraph-interactive - GET https://graph.microsoft.com/v1.0/devices?$filter=startswith (displayName,'Test')&$select=deviceid,displayName + GET https://graph.microsoft.com/v1.0/devices?$filter=startswith(displayName,'Test')&$select=deviceid,displayName ``` @@ -38,13 +38,13 @@ For the next requests, set the **ConsistencyLevel** header to `eventual`. For mo - Display the **Name** and **Operating system version** for the device that has `01234567-89ab-cdef-0123-456789abcdef` as the **AzureAD Device ID**: ```msgraph-interactive - GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"?$select=displayName,operatingSystemVersion` + GET https://graph.microsoft.com/v1.0/devices?$search="deviceid:01234567-89ab-cdef-0123-456789abcdef"&$select=displayName,operatingSystemVersion ``` - To find devices that likely aren't virtual machines, filter for devices that don't have virtual machine listed as the model but do have a manufacturer listed. Display the **AzureAD Device ID**, **Name**, and **Operating system version** for each device: ```msgraph-interactive - GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion` + GET https://graph.microsoft.com/v1.0/devices?$filter=model ne 'virtual machine' and NOT(manufacturer eq null)&$count=true&$select=deviceid,displayName,operatingSystemVersion ``` > [!Tip] From 22b26aeb7165e9c2cf78988b391b10ce2c804b14 Mon Sep 17 00:00:00 2001 From: Bruno Siqueira Date: Wed, 15 Feb 2023 15:54:32 +0000 Subject: [PATCH 49/66] Spelling error in the "Policy timeline" section There is a small spelling error. In the "Policy timeline" section there is a sentence written like this: "accessgroup dec" while the correct one would be "accessgroup desc". --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 77a826c617..1da17f0f74 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -150,7 +150,7 @@ Descriptions of the properties: **Policy timeline**: -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. The following table describes how this policy setting behaves in different Windows 10 versions: From 2590e3a22b2467a58901468a002b68552284b1db Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:15:12 -0800 Subject: [PATCH 50/66] formatting --- ...deployment-driver-policy-considerations.md | 36 ++++++++++++++++--- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md index 0e01d0543b..7896c2acf9 100644 --- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -10,9 +10,35 @@ ms.localizationpriority: medium --- -It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following table describes driver related update policies that can affect deployments through the deployment service: +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service: + + + +### Policies that exclude drivers from Windows Update for a device + +The following policies exclude drivers from Windows Update for a device: + +- **Locations of policies that exclude drivers**: + - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled` + - **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1` + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1` + - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` + +**Behavior with the deployment service**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience though the deployment service: + - Won't install drivers that are approved from the deployment service + - Will display the applicable driver content in the deployment service + +### Policies that define the source for driver updates + +The following policies define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS): + +- **Locations of policies that define an update source**: + - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update` + - **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source + - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1` + - **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. + +**Behavior with the deployment service**: Devices with these update source policies that are enrolled for **drivers** and added to an audience though the deployment service: + - Will display the applicable driver content in the deployment service + - Will install drivers that are approved from the deployment service -| Description of policies | Locations | Behavior with the deployment service| -|---|---|---| -| Policies that exclude drivers from Windows Update for a device | - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled`
- **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1`
- **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1`
- **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` | Devices that are enrolled for **drivers** and added to an audience though the deployment service:

- Won't install drivers that are approved from the deployment service
- Will display the applicable driver content in the deployment service | -| Policies that define the source for driver updates as either Windows Update or Windows Server Update Service (WSUS)| - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update`
- **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source
- **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1`
- **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. | Devices that are enrolled for **drivers** and added to an audience though the deployment service:

- Will display the applicable driver content in the deployment service
- Will install drivers that are approved from the deployment service | From 1387aad57ad2b8a1651926c78731883f5dfa0d50 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:49:28 -0800 Subject: [PATCH 51/66] formatting and edits --- .../wufb-deployment-driver-policy-considerations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md index 7896c2acf9..734b9cde8b 100644 --- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -12,8 +12,6 @@ ms.localizationpriority: medium It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content through the deployment service, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments through the deployment service: - - ### Policies that exclude drivers from Windows Update for a device The following policies exclude drivers from Windows Update for a device: @@ -25,8 +23,9 @@ The following policies exclude drivers from Windows Update for a device: - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Allow` **Behavior with the deployment service**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience though the deployment service: - - Won't install drivers that are approved from the deployment service - Will display the applicable driver content in the deployment service + - Won't install drivers that are approved from the deployment service + - If drivers are deployed to a device that's blocking them, the deployment service displays the driver is being offered and reporting displays the install is pending. ### Policies that define the source for driver updates @@ -42,3 +41,4 @@ The following policies define the source for driver updates as either Windows Up - Will display the applicable driver content in the deployment service - Will install drivers that are approved from the deployment service +> [!NOTE] When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. \ No newline at end of file From c7f035da991b5e9ebe4ec382d0583a56d5a60bfc Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 11:28:09 -0700 Subject: [PATCH 52/66] fix link to picture --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index fa24d764d1..abcaf16f80 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -116,7 +116,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -:::image type="content" source="images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="images/wufb-do-overview.png"::: +:::image type="content" source="../update/images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="../update/images/wufb-do-overview.png"::: For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). From 7107b87a51dbce6f33c755fe0f233a35d11e24a9 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 11:40:21 -0700 Subject: [PATCH 53/66] fix --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index abcaf16f80..f21056f3af 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -116,7 +116,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -:::image type="content" source="../update/images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="../update/images/wufb-do-overview.png"::: +:::image type="content" source="windows\deployment\update\images\wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="windows\deployment\update\images\wufb-do-overview.png"::: For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). From 3c273d76b964485d9d346d86cdf3d1f8f68fed46 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 10:41:33 -0800 Subject: [PATCH 54/66] edits clarifying consent for graph --- .../update/includes/wufb-deployment-graph-explorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md index 31b45d8227..92d5814b27 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -15,7 +15,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G > [!WARNING] > > - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium). -> - Using a test tenant to verify the deployment process first is highly recommended. If you use a production tenant, ensure you verify which client devices you're targeting with deployments. +> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0#properties) for Graph Explorer before proceeding. 1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account. 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: From c2b86ee45ad8bb5cb58d2424f353af62cc5fbd62 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 11:49:43 -0700 Subject: [PATCH 55/66] fix --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index f21056f3af..8b2c8bfa9e 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -116,7 +116,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -:::image type="content" source="windows\deployment\update\images\wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="windows\deployment\update\images\wufb-do-overview.png"::: +:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). From fc91a993c25fc6f98f21cb435f5fec8c110fe292 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 13:14:48 -0700 Subject: [PATCH 56/66] add faq link --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 8b2c8bfa9e..f877602a30 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -33,7 +33,7 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat ## Allow service endpoints -When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache content](delivery-optimization-endpoints.md). +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information. ## Allow content endpoints From 27bfea9fbbdf76b28c3e3e9716187edb2c8fc76a Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Feb 2023 13:38:21 -0700 Subject: [PATCH 57/66] add link to test page from toc --- windows/deployment/do/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 6c21a68819..d84541a5f8 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -25,6 +25,8 @@ href: delivery-optimization-workflow.md - name: Using a proxy with Delivery Optimization href: delivery-optimization-proxy.md + - name: Testing Delivery Optimization + href: delivery-optimization-test.md - name: Microsoft Connected Cache items: - name: Microsoft Connected Cache overview From 24d50976b7523d4d07061a91d1563d58123a28c4 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 14:35:45 -0800 Subject: [PATCH 58/66] edit --- .../includes/wufb-deployment-driver-policy-considerations.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md index 734b9cde8b..d8c96ee718 100644 --- a/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md +++ b/windows/deployment/update/includes/wufb-deployment-driver-policy-considerations.md @@ -41,4 +41,5 @@ The following policies define the source for driver updates as either Windows Up - Will display the applicable driver content in the deployment service - Will install drivers that are approved from the deployment service -> [!NOTE] When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. \ No newline at end of file +> [!NOTE] +> When the scan source for drivers is set to WSUS, the deployment service doesn't get inventory events from devices. This means that the deployment service won't be able to report the applicability of a driver for the device. \ No newline at end of file From 4c3bb710b6fd49be5845453cbe918d117f1c5ad2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 14:38:08 -0800 Subject: [PATCH 59/66] edit --- .../update/includes/wufb-deployment-graph-explorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md index 92d5814b27..ca1b4d103a 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md +++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md @@ -15,7 +15,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G > [!WARNING] > > - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium). -> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0#properties) for Graph Explorer before proceeding. +> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding. 1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account. 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: From 28f9bdb57cbdb70f173b370d45df6341c35162f2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 15 Feb 2023 14:40:01 -0800 Subject: [PATCH 60/66] edit --- windows/deployment/update/deployment-service-prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md index 8a35986ded..e2f45c2ee4 100644 --- a/windows/deployment/update/deployment-service-prerequisites.md +++ b/windows/deployment/update/deployment-service-prerequisites.md @@ -42,7 +42,7 @@ Windows Update for Business deployment service supports Windows client devices o ### Windows operating system updates -- Expediting updates requires the *Update Health Tools* on the clients. The tools are are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: +- Expediting updates requires the *Update Health Tools* on the clients. The tools are installed starting with [KB 4023057](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a). To confirm the presence of the Update Health Tools on a device: - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. - As an Admin, run the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}` From dd19502120bce8db6533b74d1eaa8ea2e21e4b37 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Wed, 15 Feb 2023 17:49:45 -0700 Subject: [PATCH 61/66] Apply suggestions from code review Moved text to separate the concept of Windows 10 or 11 as the Download Center. --- windows/deployment/do/waas-delivery-optimization-reference.md | 2 +- windows/deployment/do/waas-delivery-optimization-setup.md | 4 ++-- windows/deployment/do/waas-delivery-optimization.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 42fb81e8c7..c76958e4f8 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -20,7 +20,7 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [Download Center for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). There are many configuration options you can set in Delivery Optimization to customize the content delivery experience specific to your environment needs. This topic summarizes those configurations for your reference. If you just need an overview of Delivery Optimization, see [What is Delivery Optimization](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows](waas-delivery-optimization-setup.md). diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index f877602a30..a619d741c0 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -74,7 +74,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy] (waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -116,7 +116,7 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Windows Update for Business Delivery Optimization Report provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer, Microsoft Connected Cache (MCC), HTTP source/CDN distribution over the past 28 days. -:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="Delivery Optimization status in Update Compliance" lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: +:::image type="content" source="/windows/deployment/update/images/wufb-do-overview.png" alt-text="This screenshot shows the Windows Update for Business report, Delivery Optimization status in Update Compliance." lightbox="/windows/deployment/update/images/wufb-do-overview.png"::: For details, see [Windows Update for Business Delivery Optimization Report](../update/wufb-reports-overview.md). diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index a2454bdea4..8bcab9c5ee 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -21,7 +21,7 @@ ms.date: 12/31/2017 - Windows 10 - Windows 11 -> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [Download Center for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). +> **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. From e7b1a614eeba31655a76310a82a95a00545f9fc7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 16 Feb 2023 07:54:35 -0500 Subject: [PATCH 62/66] dg-readiness-tool retirement --- .openpublishing.redirection.json | 5 + windows/security/TOC.yml | 2 - .../credential-guard-manage.md | 28 +- .../credential-guard/dg-readiness-tool.md | 1381 ----------------- 4 files changed, 7 insertions(+), 1409 deletions(-) delete mode 100644 windows/security/identity-protection/credential-guard/dg-readiness-tool.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 645db60d9e..2d21a68dd9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20519,6 +20519,11 @@ "source_path": "windows/client-management/mdm/policy-ddf-file.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", + "redirect_document_id": true } ] } diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index dc04109fd8..9f840b293a 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -328,8 +328,6 @@ href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: identity-protection/credential-guard/dg-readiness-tool.md - name: Credential Guard protection limits href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index e4eb399ed3..ebee2bafa4 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,6 +1,6 @@ --- title: Manage Windows Defender Credential Guard (Windows) -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. +description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. ms.date: 11/23/2022 ms.collection: - highpri @@ -38,7 +38,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. > [!NOTE] @@ -151,19 +151,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. -### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool - -You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool.ps1 -Enable -AutoReboot -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - ### Review Windows Defender Credential Guard performance #### Is Windows Defender Credential Guard running? @@ -178,17 +165,6 @@ You can view System Information to check that Windows Defender Credential Guard :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: -You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool_v3.6.ps1 -Ready -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md deleted file mode 100644 index d834db9710..0000000000 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ /dev/null @@ -1,1381 +0,0 @@ ---- -title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool - -```powershell -# Script to find out if a machine is Device Guard compliant. -# The script requires a driver verifier present on the system. - -param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) - -Set-StrictMode -Version Latest - -$path = "C:\DGLogs\" -$LogFile = $path + "DeviceGuardCheckLog.txt" - -$CompatibleModules = New-Object System.Text.StringBuilder -$FailingModules = New-Object System.Text.StringBuilder -$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder - -$DGVerifyCrit = New-Object System.Text.StringBuilder -$DGVerifyWarn = New-Object System.Text.StringBuilder -$DGVerifySuccess = New-Object System.Text.StringBuilder - - -$Sys32Path = "$env:windir\system32" -$DriverPath = "$env:windir\system32\drivers" - -#generated by certutil -encode -$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA -HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC -NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC -NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC -N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA -AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA -AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN -otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA -AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA -AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA -DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA -CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA -EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA -FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA -MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA -JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA -AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA -BQAAAAYAAAA=" - -$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - -function Log($message) -{ - $message | Out-File $LogFile -Append -Force -} - -function LogAndConsole($message) -{ - Write-Host $message - Log $message -} - -function LogAndConsoleWarning($message) -{ - Write-Host $message -foregroundcolor "Yellow" - Log $message -} - -function LogAndConsoleSuccess($message) -{ - Write-Host $message -foregroundcolor "Green" - Log $message -} - -function LogAndConsoleError($message) -{ - Write-Host $message -foregroundcolor "Red" - Log $message -} - -function IsExempted([System.IO.FileInfo] $item) -{ - $cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificate - if($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")) - { - Log $item.FullName + "MS Exempted" - return 1 - } - else - { - Log $item.FullName + "Not-exempted" - Log $cert.ToString() - return 0 - } -} - -function CheckExemption($_ModName) -{ - $mod1 = Get-ChildItem $Sys32Path $_ModName - $mod2 = Get-ChildItem $DriverPath $_ModName - if($mod1) - { - Log "NonDriver module" + $mod1.FullName - return IsExempted($mod1) - } - elseif($mod2) - { - Log "Driver Module" + $mod2.FullName - return IsExempted($mod2) - } - -} - -function CheckFailedDriver($_ModName, $CIStats) -{ - Log "Module: " $_ModName.Trim() - if(CheckExemption($_ModName.Trim()) - eq 1) - { - $CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Null - return - } - $index = $CIStats.IndexOf("execute pool type count:".ToLower()) - if($index -eq -1) - { - return - } - $_tempStr = $CIStats.Substring($index) - $Result = "PASS" - $separator = "`r`n","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $stats = $_tempStr.Split($separator,$option) - Log $stats.Count - - $FailingStat = "" - foreach( $stat in $stats) - { - $_t =$stat.Split(":") - if($_t.Count -eq 2 -and $_t[1].trim() -ne "0") - { - $Result = "FAIL" - $FailingStat = $stat - break - } - } - if($Result.Contains("PASS")) - { - $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null - } - elseif($FailingStat.Trim().Contains("execute-write")) - { - $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - else - { - $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - Log "Result: " $Result -} - -function ListCIStats($_ModName, $str1) -{ - $i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower()) - if($i1 -eq -1 ) - { - Log "String := " $str1 - Log "Warning! CI Stats are missing for " $_ModName - return - } - $temp_str1 = $str1.Substring($i1) - $CIStats = $temp_str1.Substring(0).Trim() - - CheckFailedDriver $_ModName $CIStats -} - -function ListDrivers($str) -{ - $_tempStr= $str - - $separator = "module:","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $index1 = $_tempStr.IndexOf("MODULE:".ToLower()) - if($index1 -lt 0) - { - return - } - $_tempStr = $_tempStr.Substring($Index1) - $_SplitStr = $_tempStr.Split($separator,$option) - - - Log $_SplitStr.Count - LogAndConsole "Verifying each module please wait ... " - foreach($ModuleDetail in $_Splitstr) - { - #LogAndConsole $Module - $Index2 = $ModuleDetail.IndexOf("(") - if($Index2 -eq -1) - { - "Skipping .." - continue - } - $ModName = $ModuleDetail.Substring(0,$Index2-1) - Log "Driver: " $ModName - Log "Processing module: " $ModName - ListCIStats $ModName $ModuleDetail - } - - $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile - LogAndConsole $DriverScanCompletedMessage - - if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) - { - $WarningMessage = "Incompatible HVCI Kernel Driver Modules found" - if($HLK) - { - LogAndConsoleError $WarningMessage - } - else - { - LogAndConsoleWarning $WarningMessage - } - - LogAndConsoleError $FailingExecuteWriteCheck.ToString() - if($HLK) - { - LogAndConsoleError $FailingModules.ToString() - } - else - { - LogAndConsoleWarning $FailingModules.ToString() - } - if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ) - { - if($HLK) - { - $DGVerifyCrit.AppendLine($WarningMessage) | Out-Null - } - else - { - $DGVerifyWarn.AppendLine($WarningMessage) | Out-Null - } - } - } - else - { - LogAndConsoleSuccess "No Incompatible Drivers found" - } -} - -function ListSummary() -{ - if($DGVerifyCrit.Length -ne 0 ) - { - LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:" - LogAndConsoleError $DGVerifyCrit.ToString() - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f ' - } - - } - elseif ($DGVerifyWarn.Length -ne 0 ) - { - LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n" - LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:" - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f ' - } - } - else - { - LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f ' - } - } -} - - -function Instantiate-Kernel32 { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - - public static class Kernel32 - { - [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] - public static extern IntPtr LoadLibrary( - [MarshalAs(UnmanagedType.LPStr)]string lpFileName); - - [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] - public static extern IntPtr GetProcAddress( - IntPtr hModule, - string procName); - } - -"@ - } - catch - { - Log $_.Exception.Message - LogAndConsole "Instantiate-Kernel32 failed" - } -} - -function Instantiate-HSTI { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - using System.Net; - - public static class HstiTest3 - { - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTIdetails( - ref HstiOverallError pHstiOverallError, - [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, - ref uint pHstiProviderErrorsCount, - byte[] hstiPlatformSecurityBlob, - ref uint pHstiPlatformSecurityBlobBytes); - - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTI(ref bool Pass); - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - public struct HstiProviderErrorDuple - { - internal uint protocolError; - internal uint role; - internal HstiProviderErrors providerError; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] - internal string ID; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] - internal string ErrorString; - } - - [FlagsAttribute] - public enum HstiProviderErrors : int - { - None = 0x00000000, - VersionMismatch = 0x00000001, - RoleUnknown = 0x00000002, - RoleDuplicated = 0x00000004, - SecurityFeatureSizeMismatch = 0x00000008, - SizeTooSmall = 0x00000010, - VerifiedMoreThanImplemented = 0x00000020, - VerifiedNotMatchImplemented = 0x00000040 - } - - [FlagsAttribute] - public enum HstiOverallError : int - { - None = 0x00000000, - RoleTooManyPlatformReference = 0x00000001, - RoleTooManyIbv = 0x00000002, - RoleTooManyOem = 0x00000004, - RoleTooManyOdm = 0x00000008, - RoleMissingPlatformReference = 0x00000010, - VerifiedIncomplete = 0x00000020, - ProtocolErrors = 0x00000040, - BlobVersionMismatch = 0x00000080, - PlatformSecurityVersionMismatch = 0x00000100, - ProviderError = 0x00000200 - } - - } -"@ - - $LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll") - $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") - $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") - - if ([System.IntPtr]::Size -eq 8) - { - #assuming 64 bit - Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" - Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" - } - else - { - return - } - $overallError = New-Object HstiTest3+HstiOverallError - $providerErrorDupleCount = New-Object int - $blobByteSize = New-Object int - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) - - [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) - $string = $null - $blob | foreach { $string = $string + $_.ToString("X2")+"," } - - $hstiStatus = New-Object bool - $hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus) - - LogAndConsole "HSTI Duple Count: $providerErrorDupleCount" - LogAndConsole "HSTI Blob size: $blobByteSize" - LogAndConsole "String: $string" - LogAndConsole "HSTIStatus: $hstiStatus" - if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus) - { - LogAndConsoleSuccess "HSTI validation successful" - } - elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)) - { - LogAndConsoleWarning "HSTI is absent" - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - else - { - $ErrorMessage = "HSTI validation failed" - if($HLK) - { - LogAndConsoleError $ErrorMessage - $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null - } - else - { - LogAndConsoleWarning $ErrorMessage - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - } - - } - catch - { - LogAndConsoleError $_.Exception.Message - LogAndConsoleError "Instantiate-HSTI failed" - } -} - - -function CheckDGRunning($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) - { - if($DGObj.SecurityServicesRunning[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function CheckDGFeatures($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - Log "DG_obj $DG_obj" - Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length" - for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++) - { - if($DGObj.AvailableSecurityProperties[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function PrintConfigCIDetails($_ConfigCIState) -{ - $_ConfigCIRunning = "Config-CI is enabled and running." - $_ConfigCIDisabled = "Config-CI is not running." - $_ConfigCIMode = "Not Enabled" - switch ($_ConfigCIState) - { - 0 { $_ConfigCIMode = "Not Enabled" } - 1 { $_ConfigCIMode = "Audit mode" } - 2 { $_ConfigCIMode = "Enforced mode" } - default { $_ConfigCIMode = "Not Enabled" } - } - - if($_ConfigCIState -ge 1) - { - LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)" - } - else - { - LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)" - } -} - -function PrintHVCIDetails($_HVCIState) -{ - $_HvciRunning = "HVCI is enabled and running." - $_HvciDisabled = "HVCI is not running." - - if($_HVCIState) - { - LogAndConsoleSuccess $_HvciRunning - } - else - { - LogAndConsoleWarning $_HvciDisabled - } -} - -function PrintCGDetails ($_CGState) -{ - $_CGRunning = "Credential-Guard is enabled and running." - $_CGDisabled = "Credential-Guard is not running." - - if($_CGState) - { - LogAndConsoleSuccess $_CGRunning - } - else - { - LogAndConsoleWarning $_CGDisabled - } -} - -if(![IO.Directory]::Exists($path)) -{ - New-Item -ItemType directory -Path $path -} -else -{ - #Do Nothing!! -} - -function IsRedstone -{ - $_osVersion = [environment]::OSVersion.Version - Log $_osVersion - #Check if build Major is Windows 10 - if($_osVersion.Major -lt 10) - { - return 0 - } - #Check if the build is post Threshold2 (1511 release) => Redstone - if($_osVersion.Build -gt 10586) - { - return 1 - } - #default return False - return 0 -} - -function ExecuteCommandAndLog($_cmd) -{ - try - { - Log "Executing: $_cmd" - $CmdOutput = Invoke-Expression $_cmd | Out-String - Log "Output: $CmdOutput" - } - catch - { - Log "Exception while exectuing $_cmd" - Log $_.Exception.Message - } - - -} - -function PrintRebootWarning -{ - LogAndConsoleWarning "Please reboot the machine, for settings to be applied." -} - -function AutoRebootHelper -{ - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - PrintRebootWarning - } - -} - -function VerifierReset -{ - $verifier_state = verifier /query | Out-String - if(!$verifier_state.ToString().Contains("No drivers are currently verified.")) - { - ExecuteCommandAndLog 'verifier.exe /reset' - } - AutoRebootHelper -} - -function PrintHardwareReq -{ - LogAndConsole "###########################################################################" - LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT" - LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" - LogAndConsole "########################################################################### `n" -} - -function CheckDriverCompat -{ - $_HVCIState = CheckDGRunning(2) - if($_HVCIState) - { - LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete." - LogAndConsoleWarning "Please disable HVCI and run the script again..." - } - $verifier_state = verifier /query | Out-String - if($verifier_state.ToString().Contains("No drivers are currently verified.")) - { - LogAndConsole "Enabling Driver verifier" - verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity - - LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state - LogAndConsole "Please re-execute this script after reboot...." - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - LogAndConsole "Please reboot manually and run the script again...." - } - exit - } - else - { - LogAndConsole "Driver verifier already enabled" - Log $verifier_state - ListDrivers($verifier_state.Trim().ToLowerInvariant()) - } -} -function IsDomainController -{ - $_isDC = 0 - $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) - { - $Role = $ObjItem.DomainRole - Log "Role=$Role" - Switch ($Role) - { - 0 { Log "Standalone Workstation" } - 1 { Log "Member Workstation" } - 2 { Log "Standalone Server" } - 3 { Log "Member Server" } - 4 - { - Log "Backup Domain Controller" - $_isDC=1 - break - } - 5 - { - Log "Primary Domain Controller" - $_isDC=1 - break - } - default { Log "Unknown Domain Role" } - } - } - return $_isDC -} - -function CheckOSSKU -{ - $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() - $_SKUSupported = 0 - Log "OSNAME:$osname" - $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("windows 10 pro") - foreach ($SKUent in $SKUarray) - { - if($osname.ToString().Contains($SKUent.ToLower())) - { - $_SKUSupported = 1 - break - } - } - - # For running HLK tests only, professional SKU's are marked as supported. - if($HLK) - { - if($osname.ToString().Contains($HLKAllowed.ToLower())) - { - $_SKUSupported = 1 - } - } - $_isDomainController = IsDomainController - if($_SKUSupported) - { - LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard"; - if(($_isDomainController -eq 1) -and !$HVCI -and !$DG) - { - LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "This PC edition is Unsupported for Device Guard" - $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f ' - } -} - -function CheckOSArchitecture -{ - $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch -match ("^64\-?\s?bit")) - { - LogAndConsoleSuccess "64 bit architecture" - } - elseif($OSArch -match ("^32\-?\s?bit")) - { - LogAndConsoleError "32 bit architecture" - $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null - } - else - { - LogAndConsoleError "Unknown architecture" - $DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null - } -} - -function CheckSecureBootState -{ - try { - $_secureBoot = Confirm-SecureBootUEFI - } - catch - { - $_secureBoot = $false - } - Log $_secureBoot - if($_secureBoot) - { - LogAndConsoleSuccess "Secure Boot is present" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Secure Boot is absent / not enabled." - LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null - } -} - -function CheckVirtualization -{ - $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions - $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled - $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent - Log "VMMonitorModeExtensions $_vmmExtension" - Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" - Log "HyperVisorPresent $_vmHyperVPresent" - - #success if either processor supports and enabled or if hyper-v is present - if(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ) - { - LogAndConsoleSuccess "Virtualization firmware check passed" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Virtualization firmware check failed." - LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null - } -} - -function CheckTPM -{ - $TPMLockout = $(get-tpm).LockoutCount - - if($TPMLockout) - { - - if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")) - { - if($HLK) - { - LogAndConsoleSuccess "TPM 1.2 is present." - } - else - { - $WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred." - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - } - else - { - LogAndConsoleSuccess "TPM 2.0 is present." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "TPM is absent or not ready for use" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSecureMOR -{ - $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " - if($isSecureMOR -eq 1) - { - LogAndConsoleSuccess "Secure MOR is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "Secure MOR is absent" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f ' - } -} - -function CheckNXProtection -{ - $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " - if($isNXProtected -eq 1) - { - LogAndConsoleSuccess "NX Protector is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "NX Protector is absent" - $DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSMMProtection -{ - $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " - if($isSMMMitigated -eq 1) - { - LogAndConsoleSuccess "SMM Mitigation is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "SMM Mitigation is absent" - $DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f ' - } -} - -function CheckHSTI -{ - LogAndConsole "Copying HSTITest.dll" - try - { - $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) - - } - catch - { - LogAndConsole $_.Exception.Message - LogAndConsole "Copying and loading HSTITest.dll failed" - } - - Instantiate-Kernel32 - Instantiate-HSTI -} - -function PrintToolVersion -{ - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - -} - -PrintToolVersion - -if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier)) -{ - #Print Usage if none of the options are specified - LogAndConsoleWarning "How to read the output:" - LogAndConsoleWarning "" - LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG" - LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr" - LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n" - - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" - - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path" - LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n" - - LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path `n" - - LogAndConsoleWarning "To Enable only HVCI" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n" - - LogAndConsoleWarning "To Enable only CG" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n" - - LogAndConsoleWarning "To Verify if DG/CG is enabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Disable DG/CG." - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n" - - LogAndConsoleWarning "To Verify if DG/CG is disabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Verify if this device is DG/CG Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n" - - LogAndConsoleWarning "To Verify if this device is HVCI Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n" - - LogAndConsoleWarning "To Auto reboot with each option" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n" - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:" - LogAndConsoleWarning "" - LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" - LogAndConsoleWarning "CG_Capable" - LogAndConsoleWarning "DG_Capable" - LogAndConsoleWarning "HVCI_Capable" - LogAndConsoleWarning "" - LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device" - LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI" - LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" -} - -$user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) - -if(!$TestForAdmin) -{ - LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator." - exit -} - -$isRunningOnVM = (Get-WmiObject win32_computersystem).model -if($isRunningOnVM.Contains("Virtual")) -{ - LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." -} - - -<# Check the DG status if enabled or disabled, meaning if the device is ready or not #> -if($Ready) -{ - PrintHardwareReq - - $DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - $_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatus - Log "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState" - $_HVCIState = CheckDGRunning(2) - $_CGState = CheckDGRunning(1) - - if($HVCI) - { - Log "_HVCIState: $_HVCIState" - PrintHVCIDetails $_HVCIState - } - elseif($CG) - { - Log "_CGState: $_CGState" - PrintCGDetails $_CGState - - if($_CGState) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f' - } - } - elseif($DG) - { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if($_ConfigCIState -and $_HVCIState) - { - LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Not all services are running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' - } - } - else - { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintCGDetails $_CGState - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)) - { - LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running." - } - else - { - LogAndConsoleWarning "Not all services are running." - } - } -} - -<# Enable and Disable #> -if($Enable) -{ - PrintHardwareReq - - LogAndConsole "Enabling Device Guard and Credential Guard" - LogAndConsole "Setting RegKeys to enable DG/CG" - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f' - #Only SecureBoot is required as part of RequirePlatformSecurityFeatures - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f' - } - - if(!$HVCI -and !$DG) - { - # value is 2 for both Th2 and RS1 - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f' - } - if(!$CG) - { - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' - } - } - - try - { - if(!$HVCI -and !$CG) - { - if(!$SIPolicyPath) - { - Log "Writing Decoded SIPolicy.p7b" - $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) - } - else - { - LogAndConsole "Copying user provided SIpolicy.p7b" - $CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-String - Log $CmdOutput - } - } - } - catch - { - LogAndConsole "Writing SIPolicy.p7b file failed" - } - - LogAndConsole "Enabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String - } - - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Enabling Hyper-V failed please check the log file" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f' - } - AutoRebootHelper -} - -if($Disable) -{ - LogAndConsole "Disabling Device Guard and Credential Guard" - LogAndConsole "Deleting RegKeys to disable DG/CG" - - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f' - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f' - } - else - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f' - } - - if(!$CG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f' - if($_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f' - } - } - - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f' - } - - if(!$HVCI -and !$CG) - { - ExecuteCommandAndLog 'del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"' - } - - if(!$HVCI -and !$DG -and !$CG) - { - LogAndConsole "Disabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String - } - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful" - } - else - { - LogAndConsoleWarning "Disabling Hyper-V failed please check the log file" - } - - #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always - #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS - $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random - Log "FreeDrive=$FreeDrive" - ExecuteCommandAndLog 'mountvol $FreeDrive /s' - $CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String - LogAndConsole $CmdOutput - ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi' - ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive' - ExecuteCommandAndLog 'mountvol $FreeDrive /d' - #steps complete - - } - AutoRebootHelper -} - -if($Clear) -{ - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f' - VerifierReset -} - -if($ResetVerifier) -{ - VerifierReset -} - -<# Is machine Device Guard / Cred Guard Capable and Verify #> -if($Capable) -{ - PrintHardwareReq - - LogAndConsole "Checking if the device is DG/CG Capable" - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsoleWarning "Capable is currently fully supported in Redstone only.." - } - $_StepCount = 1 - if(!$CG) - { - LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " - $_StepCount++ - CheckDriverCompat - } - - LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " - $_StepCount++ - CheckSecureBootState - - if(!$HVCI -and !$DG -and !$CG) - { - #check only if sub-options are absent - LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " - $_StepCount++ - CheckHSTI - } - - LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " - $_StepCount++ - CheckOSArchitecture - - LogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== " - $_StepCount++ - CheckOSSKU - - LogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== " - $_StepCount++ - CheckVirtualization - - if(!$HVCI -and !$DG) - { - LogAndConsole " ====================== Step $_StepCount TPM version ====================== " - $_StepCount++ - CheckTPM - - LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " - $_StepCount++ - CheckSecureMOR - } - - LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " - $_StepCount++ - CheckNXProtection - - LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " - $_StepCount++ - CheckSMMProtection - - LogAndConsole " ====================== End Check ====================== " - - LogAndConsole " ====================== Summary ====================== " - ListSummary - LogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr" -} - - -# SIG # Begin signature block -## REPLACE -# SIG # End signature block - -``` From e5451d23867a89ce7908c3b2a4315b9d97e28a44 Mon Sep 17 00:00:00 2001 From: Sriraman M S <45987684+msbemba@users.noreply.github.com> Date: Thu, 16 Feb 2023 18:47:38 +0530 Subject: [PATCH 63/66] Update password-must-meet-complexity-requirements.md Updated to the most recent password policy link fixes#https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11295 --- .../password-must-meet-complexity-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c7b9c6ad9d..d6f73cfb32 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -112,4 +112,4 @@ The use of ALT key character combinations may greatly enhance the complexity of ## Related articles -- [Password Policy](password-policy.md) +- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations) From 1aa036c8361685dfbb7b4a4799e620c58246c62b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 16 Feb 2023 13:12:43 -0500 Subject: [PATCH 64/66] Add tiers to client-management --- .../administrative-tools-in-windows-10.md | 4 ++- ...e-active-directory-integration-with-mdm.md | 18 ++++++------ .../connect-to-remote-aadj-pc.md | 18 ++++++------ .../device-update-management.md | 6 ++-- .../diagnose-mdm-failures-in-windows-10.md | 6 ++-- ...device-automatically-using-group-policy.md | 18 ++++++------ windows/client-management/index.yml | 1 + .../mandatory-user-profile.md | 8 ++++-- .../mdm-enrollment-of-windows-devices.md | 28 ++++++++++--------- windows/client-management/mdm-overview.md | 4 ++- .../mdm/configuration-service-provider-ddf.md | 4 ++- .../configuration-service-provider-support.md | 6 ++-- .../mdm/dynamicmanagement-csp.md | 6 ++-- windows/client-management/mdm/index.yml | 1 + .../mobile-device-enrollment.md | 6 ++-- windows/client-management/quick-assist.md | 4 ++- 16 files changed, 84 insertions(+), 54 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index d5697e455b..095188a9ba 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -8,7 +8,9 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index f2c906993c..5cd9b9cbb6 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,14 +1,16 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in > [!IMPORTANT] > Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - + ### BYOD scenario Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. @@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en > [!NOTE] > Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. - + ### MDM endpoints involved in Azure AD–integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery. ### Add cloud-based MDM to the app gallery > [!NOTE] -> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application The following table shows the required information to create an entry in the Azure AD app gallery. @@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - + ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is |--- |--- |--- |--- |--- | |FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css| |MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css| - + ## Terms of Use protocol semantics The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. @@ -332,7 +334,7 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - + ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 18fb8a5311..88a544e7d9 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -6,10 +6,12 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa ms.date: 01/18/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. -- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: 1. Open system properties for the remote PC. - + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - + - Adding users manually - + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: ```powershell net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" @@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy - + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4964a3969d..4c730c626d 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 11/15/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device management (MDM) for device updates diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 67b61ceb3c..1f8a9dd881 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/25/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 80e253c59f..8bffb182d7 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Enroll a Windows 10 device automatically using Group Policy @@ -188,19 +190,19 @@ Requirements: - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -214,13 +216,13 @@ Requirements: - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index ff469792d0..2338c37d24 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -11,6 +11,7 @@ metadata: ms.technology: itpro-manage ms.collection: - highpri + - tier2 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7cf55e0587..0771fcc433 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -5,10 +5,12 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want, 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f5d5c1dc39..7023a7b517 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,17 +1,19 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: +MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio > [!NOTE] > Mobile devices can't be connected to an Active Directory domain. -### Out-of-box-experience +### Out-of-box-experience Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: @@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - + ### Connect your device to an Azure AD domain (join Azure AD) @@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - -## Connect personally owned devices + +## Connect personally owned devices Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. @@ -247,7 +249,7 @@ To create a local account and connect the device: ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - + ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. @@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work. | You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | - + ## Connect your Windows 10-based device to work using a deep link @@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. ### Connect to MDM using a deep link > [!NOTE] > Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link: -> +> > - **ms-device-enrollment:?mode=mdm** > - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`** @@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - + diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 8c630a325a..fd9f4c2321 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -9,7 +9,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile Device Management overview diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index b55b3ce963..c8fad72461 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider DDF files diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 4afed5993c..80f903585c 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -1,7 +1,7 @@ --- title: Configuration service provider support description: Learn more about configuration service provider (CSP) supported scenarios. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider support diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 241e6803a9..9bb47acd36 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index db2be7efaf..0ee82f54c2 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier2 ms.custom: intro-hub-or-landing author: vinaypamnani-msft ms.author: vinpa diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 93b93d3872..361556d8dd 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/11/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device enrollment diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 475721a37f..adb471edb7 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -9,7 +9,9 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.date: 08/26/2022 --- From f0e97b04251fda5c844150a06050d8d8d2041bd2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 16 Feb 2023 13:17:50 -0500 Subject: [PATCH 65/66] Change index.yml to tier1 --- windows/client-management/index.yml | 2 +- windows/client-management/mdm/index.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 2338c37d24..d782edc5b3 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -11,7 +11,7 @@ metadata: ms.technology: itpro-manage ms.collection: - highpri - - tier2 + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index 0ee82f54c2..094b2b87da 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -11,7 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri - - tier2 + - tier1 ms.custom: intro-hub-or-landing author: vinaypamnani-msft ms.author: vinpa From 5c7c43ee8e53f624ea3acc3b8ba962071255dad3 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 16 Feb 2023 10:25:46 -0800 Subject: [PATCH 66/66] add drivers to intro --- windows/deployment/update/wufb-reports-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index aa140f9778..13c5e19777 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -16,7 +16,7 @@ ms.technology: itpro-updates Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you: -- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices +- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues - Analyze and display your data in multiple ways