diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 7ce8bd2724..be73736a92 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation| |Duo from Cisco |2.25.0 |Win32 |Cisco| |e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking| +|eTests |4.0.25 |Win32 |CASAS| |FortiClient |7.0.1.0083 |Win32 |Fortinet| |Free NaturalReader |16.1.2 |Win32 |Natural Soft| |GoGuardian |1.4.4 |Win32 |GoGuardian| diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 98fff77da2..122ffdd4f1 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 1. Download the FOD .cab file: - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab) - - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index c860bb3992..117f142b92 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -13,6 +13,16 @@ ms.date: 06/26/2017 # CMPolicyEnterprise CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|No| +|Education|No|No| + The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] @@ -20,9 +30,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies +Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies + + **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. -**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. +**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. @@ -71,7 +84,8 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* -Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". + +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. @@ -89,7 +103,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th |Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}| |Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}| - For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: @@ -132,7 +145,6 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples - Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -226,7 +238,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C ## OMA DM examples - Adding an application-based mapping policy: ```xml @@ -363,7 +374,6 @@ Adding a host-based mapping policy: ## Microsoft Custom Elements - |Element|Available| |--- |--- | |parm-query|Yes| @@ -372,7 +382,6 @@ Adding a host-based mapping policy: ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index ad3e957a90..a2167e456e 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -1,92 +1,90 @@ --- -title: Secured-Core Configuration Lock -description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. +title: Secured-core configuration lock +description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. manager: dansimp ms.author: v-lsaldanha ms.topic: article ms.prod: w11 ms.technology: windows author: lovina-saldanha -ms.date: 03/14/2022 +ms.date: 05/24/2022 --- -# Secured-Core PC Configuration Lock +# Secured-core PC configuration lock **Applies to** -- Windows 11 +- Windows 11 -In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. +In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. -Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC. +Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. -To summarize, Config Lock: +To summarize, config lock: -- Enables IT to “lock” Secured-Core PC features when managed through MDM +- Enables IT to "lock" secured-core PC features when managed through MDM - Detects drift remediates within seconds -- DOES NOT prevent malicious attacks +- Doesn't prevent malicious attacks ## Configuration Flow -After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). +After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). ## System Requirements -Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). +Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). -## Enabling Config Lock using Microsoft Intune +## Enabling config lock using Microsoft Intune -Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on. - -The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: +Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on. -1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune. +The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: + +1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. 1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - **Platform**: Windows 10 and later - **Profile type**: Templates - **Template name**: Custom - :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates"::: + :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates."::: 1. Name your profile. -1. When you reach the Configuration Settings step, select “Add” and add the following information: +1. When you reach the Configuration Settings step, select "Add" and add the following information: - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock - **Data type**: Integer - **Value**: 1
- To turn off Config Lock, change the value to 0. + To turn off config lock, change the value to 0. - :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1"::: + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1."::: -1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”. +1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices". 1. You'll not need to set any applicability rules for test purposes. -1. Review the Configuration and select “Create” if everything is correct. -1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled. +1. Review the Configuration and select "Create" if everything is correct. +1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled. - :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied"::: + :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied."::: - :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending"::: + :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending."::: -## Configuring Secured-Core PC features +## Configuring secured-core PC features -Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune. +Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune. + +:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off."::: -:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off"::: - ## FAQ -**Can an IT admins disable Config Lock ?**
- Yes. IT admins can use MDM to turn off Config Lock.
+- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. ### List of locked policies |**CSPs** | |-----| -|[BitLocker ](bitlocker-csp.md) | +|[BitLocker](bitlocker-csp.md) | |[PassportForWork](passportforwork-csp.md) | |[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) | -|[ApplicationControl](applicationcontrol-csp.md) - +|[ApplicationControl](applicationcontrol-csp.md) |**MDM policies** | **Supported by Group Policy** | |-----|-----| diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index e1fe7788d5..de2896f574 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -41,7 +41,6 @@ Package Full Name of the application that needs to be launched in the background ## SyncML examples - **Set StartupAppID** ```xml diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2622105e41..d36c374ed3 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -14,6 +14,14 @@ ms.date: 02/22/2022 # Defender CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. @@ -354,7 +362,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi **EnableNetworkProtection/DisableHttpParsing** -Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -364,7 +372,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to **EnableNetworkProtection/DisableRdpParsing** -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". +Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -374,7 +382,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn **EnableNetworkProtection/DisableSshParsing** -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". +Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -384,7 +392,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k **EnableNetworkProtection/DisableTlsParsing** -Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -593,11 +601,13 @@ An interior node to group Windows Defender configuration information. Supported operation is Get. **Configuration/TamperProtection** + Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. + Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. -The data type is a Signed blob. +The data type is a Signed BLOB. Supported operations are Add, Delete, Get, Replace. @@ -609,7 +619,7 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. **Configuration/DisableLocalAdminMerge**
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. +This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list. If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings. @@ -629,6 +639,7 @@ Valid values are: - 0 (default) – Disable. **Configuration/HideExclusionsFromLocalAdmins**
+ This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. @@ -638,22 +649,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu > [!NOTE] > Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. -Supported OS versions: Windows 10 +Supported OS versions: Windows 10 The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. - 0 (default) – Disable. **Configuration/DisableCpuThrottleOnIdleScans**
+ Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 (default) – Enable. @@ -664,7 +676,7 @@ Allow managed devices to update through metered connections. Data charges may ap The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -675,7 +687,7 @@ This settings controls whether Network Protection is allowed to be configured in The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -686,7 +698,7 @@ Allows an administrator to explicitly disable network packet inspection made by The data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. @@ -694,7 +706,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -705,7 +717,7 @@ The support log location setting allows the administrator to specify where the M Data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Intune Support log location setting UX supports three states: @@ -713,7 +725,7 @@ Intune Support log location setting UX supports three states: - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. - 0 - Disabled. Turns off the Support log location feature. -When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. More details: @@ -737,7 +749,7 @@ If you disable or don't configure this policy, the device will stay up to date a The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -770,7 +782,7 @@ If you disable or don't configure this policy, the device will stay up to date a The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -795,7 +807,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid Values are: - 0: Not configured (Default) @@ -818,7 +830,7 @@ If you disable or don't configure this policy, the device will remain in Current The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enabled. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index a0d6ae21ee..c19f5c83df 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -13,6 +13,15 @@ ms.date: 03/27/2020 # DevDetail CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically. > [!NOTE] diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png index 1e315bc4b1..d134a5fcb2 100644 Binary files a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 023ece8e40..4bbcf1f082 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -8360,6 +8360,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Search/DisableRemovableDriveIndexing
+
+ Search/DisableSearch +
Search/DoNotUseWebResults
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 3599a3ce1a..ae91c0694e 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -28,15 +28,129 @@ manager: dansimp ## FileExplorer policies
+
+ FileExplorer/AllowOptionToShowNetwork +
+
+ FileExplorer/AllowOptionToShowThisPC +
FileExplorer/TurnOffDataExecutionPreventionForExplorer
FileExplorer/TurnOffHeapTerminationOnCorruption
+
+ FileExplorer/SetAllowedFolderLocations +
+
+ FileExplorer/SetAllowedStorageLocations +
+
+ + +**FileExplorer/AllowOptionToShowNetwork** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy allows the user with an option to show the network folder when restricted. + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowNetwork* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ + +**FileExplorer/AllowOptionToShowThisPC** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +This policy allows the user with an option to show this PC location when restricted. + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowThisPC* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
@@ -109,6 +223,8 @@ ADMX Info: Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + + ADMX Info: - GP Friendly name: *Turn off heap termination on corruption* @@ -120,5 +236,114 @@ ADMX Info:
+ +**FileExplorer/SetAllowedFolderLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + +This policy configures the folders that the user can enumerate and access in the File Explorer. + + + + +The following list shows the supported values: + +- 0: All folders +- 15:Desktop, Documents, Pictures, and Downloads +- 31:Desktop, Documents, Pictures, Downloads, and Network +- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads +- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedFolderLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ + +**FileExplorer/SetAllowedStorageLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + +This policy configures the folders that the user can enumerate and access in the File Explorer. + + + + +The following list shows the supported values: + +- 0: all storage locations +- 1: Removable Drives +- 2: Sync roots +- 3: Removable Drives, Sync roots, local drive + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedStorageLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index b56f078278..68fdb085a9 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Search -
@@ -57,6 +56,9 @@ manager: dansimp
Search/DisableRemovableDriveIndexing
+
+ Search/DisableSearch +
Search/DoNotUseWebResults
@@ -629,6 +631,57 @@ The following list shows the supported values:
+ +**Search/DisableSearch** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures. + +It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box. + + + +ADMX Info: + +- GP Friendly name: *Fully disable Search UI* +- GP name: *DisableSearch* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + +The following list shows the supported values: + +- 0 (default) – Do not disable search. +- 1 – Disable search. + + + + +
+ **Search/DoNotUseWebResults** @@ -761,7 +814,7 @@ The following list shows the supported values: -If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.. +If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fbc41ad17a..9985a58d5c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -411,7 +411,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. -If the policy isn't configured, end-users get the default behavior (Auto install and restart). +If the policy isn't configured, end-users get the default behavior (Auto download and install). @@ -426,13 +426,13 @@ ADMX Info: The following list shows the supported values: -- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 - Turn off automatic updates. - +- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). +- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). +- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. +- 5: Turn off automatic updates. +- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured. > [!IMPORTANT] > This option should be used only for systems under regulatory compliance, as you won't get security updates as well. diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 7efdff3ed4..00a7900ceb 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -13,6 +13,14 @@ ms.date: 09/12/2019 # SUPL CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -93,7 +101,7 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL. -This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC. +This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. @@ -109,7 +117,6 @@ Optional. Specifies the positioning method that the SUPL client will use for mob |4|OTDOA| |5|AFLT| -  The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. @@ -117,7 +124,6 @@ The default is 0. The default method in Windows devices provides high-quality as > The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.   - For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** @@ -132,7 +138,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu |Off|0|Yes| |Off|1|No (unless privacyOverride is set)| - When the location toggle is set to Off and this value is set to 1, the following application requests will fail: - `noNotificationNoVerification` @@ -237,7 +242,6 @@ The default is 0. The default method provides high-quality assisted GNSS positio > The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.   - For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** @@ -304,7 +308,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove ## OMA Client Provisioning examples - Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -329,7 +332,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita ``` -Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. +Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value. ```xml @@ -360,7 +363,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be ## OMA DM examples - Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -435,7 +437,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc ## Microsoft Custom Elements - The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. |Elements|Available| diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index b84b96deb9..b8a2f1a14b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -13,7 +13,7 @@ ms.date: 07/28/2017 # SurfaceHub CSP -The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. +The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later. The following example shows the SurfaceHub CSP management objects in tree format. @@ -239,7 +239,7 @@ If there's an error calling ValidateAndCommit, there's another context for that | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. | | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. | | 5 | Saving account information | Unable to save account details to the system. | -| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. | +| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. | It performs the following: - The data type is integer. @@ -320,7 +320,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed. **InBoxApps/Whiteboard/SigninDisabled** -Sign-in from the Whiteboard app aren't allowed. +Sign-ins from the Whiteboard app aren't allowed. - The data type is boolean. - Supported operation is Get and Replace. diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 0c7915fe7c..c4aa932cc0 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -13,10 +13,19 @@ manager: dansimp # TPMPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. -The TPMPolicy CSP was added in Windows 10, version 1703. +The TPMPolicy CSP was added in Windows 10, version 1703, and later. The following example shows the TPMPolicy configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 8a3a6d1f58..174bdb6025 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -13,8 +13,17 @@ manager: dansimp # UEFI CSP +The table below shows the applicability of Windows: -The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later. > [!NOTE] > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). @@ -51,7 +60,7 @@ Uefi ``` The following list describes the characteristics and parameters. -**./Vendor/MSFT/Uefi** +**./Vendor/MSFT/UEFI** Root node. **DeviceIdentifier** @@ -80,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation. Supported operation is Get. **Permissions** -Node for settings permission operations.. +Node for settings permission operations. **Permissions/Current** Retrieves XML from UEFI that describes the current UEFI settings permissions. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index afc9eddd8d..a1c1bb229e 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -13,6 +13,15 @@ ms.date: 06/26/2017 # UnifiedWriteFilter CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. @@ -314,7 +323,6 @@ Supported operations are Get and Execute. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index b8505eb687..0d5afdf9bf 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -13,6 +13,16 @@ ms.date: 02/23/2018 # Update CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] @@ -61,7 +71,7 @@ The following example shows the Update configuration service provider in tree fo > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. +

The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.

The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 8f685802c5..c94db55e4f 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -13,6 +13,15 @@ ms.date: 09/21/2021 # VPNv2 CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device. @@ -549,7 +558,7 @@ An optional flag to enable Always On mode. This flag will automatically connect Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference. Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config` Value: AutoTriggerDisabledProfilesList @@ -695,7 +704,7 @@ Supported operations include Get, Add, Replace, and Delete. Reserved for future use. **VPNv2/**ProfileName**/NativeProfile** -Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). +Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP). **VPNv2/**ProfileName**/NativeProfile/Servers** Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 032a13a12c..e932514ea9 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -13,6 +13,15 @@ ms.date: 06/26/2017 # w4 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS). @@ -46,7 +55,7 @@ This parameter takes a string value. The possible values to configure the NAME p - no value specified > [!NOTE] -> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. +> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. If no value is specified, the registry location will default to ``. diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index a3147f4436..df011aac9a 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -13,11 +13,20 @@ ms.date: 06/26/2017 # w7 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning. -> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. - +> [!Note] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. The following shows the configuration service provider in tree format as used by OMA Client Provisioning. @@ -50,11 +59,10 @@ APPLICATION ---SSLCLIENTCERTSEARCHCRITERIA ``` -> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. +> [!Note] +> All parameter names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. -  - **APPADDR** This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address. @@ -98,9 +106,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o Valid values: -- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type. +- BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type. -- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type. +- DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type. - When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST. @@ -110,9 +118,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe **BACKCOMPATRETRYDISABLED** Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time). -> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. - -  +> [!Note] +> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. **CONNRETRYFREQ** Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter. @@ -129,11 +136,10 @@ The valid values are: **INIT** Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present. -> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. +> [!Note] +> This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready. -   - **INITIALBACKOFFTIME** Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter. @@ -179,9 +185,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. -> **Note**   %EF%80%80 is the UTF8-encoded character U+F000. - -  +> [!Note] +> `%EF%80%80` is the UTF8-encoded character U+F000. Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax: @@ -192,15 +197,4 @@ Subject specifies the certificate to search for. For example, to specify that yo ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index d8143c1931..e06cafbb5e 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -8,7 +8,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 02/07/2022 +ms.date: 05/09/2022 --- # WindowsAutopilot CSP diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 4b065d5ae5..5b06d59cb3 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -1,29 +1,32 @@ --- title: Use Quick Assist to help users -description: How IT Pros can use Quick Assist to help users +description: How IT Pros can use Quick Assist to help users. ms.prod: w10 ms.topic: article author: aczechowski +ms.technology: windows ms.localizationpriority: medium +author: aczechowski ms.author: aaroncz manager: dougeby +ms.reviewer: pmadrigal ms.collection: highpri --- # Use Quick Assist to help users -Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. ## Before you begin -All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. +All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. > [!NOTE] > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. ### Authentication -The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. +The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. ### Network considerations @@ -31,18 +34,21 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis Both the helper and sharer must be able to reach these endpoints over port 443: -| Domain/Name | Description | -|-----------------------------------|-------------------------------------------------------| -| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application | -| \*.resources.lync.com | Required for the Skype framework used by Quick Assist | -| \*.infra.lync.com | Required for the Skype framework used by Quick Assist | -| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist | -| \*.login.microsoftonline.com | Required for logging in to the application (MSA) | -| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist | -| \*.aria.microsoft.com | Used for accessibility features within the app | -| \*.api.support.microsoft.com | API access for Quick Assist | -| \*.vortex.data.microsoft.com | Used for diagnostic data | -| \*.channelservices.microsoft.com | Required for chat services within Quick Assist | +| Domain/Name | Description | +|--|--| +| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | +| `*.login.microsoftonline.com` | Required for logging in to the application (MSA) | +| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | +| `*.aria.microsoft.com` | Used for accessibility features within the app | +| `*.api.support.microsoft.com` | API access for Quick Assist | +| `*.vortex.data.microsoft.com` | Used for diagnostic data | +| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist | +| `*.skype.com` | Skype requests may vary based on geography. If connection issues persist, test this endpoint. | +| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. | +| `*.turn.azure.com` | Protocol used to help endpoint. | +| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | ## How it works @@ -72,9 +78,9 @@ Microsoft logs a small amount of session data to monitor the health of the Quick - Features used inside the app such as view only, annotation, and session pause -No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session. +No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. -The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days. +The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. @@ -82,8 +88,7 @@ In some scenarios, the helper does require the sharer to respond to application Either the support staff or a user can start a Quick Assist session. - -1. Support staff (“helper”) starts Quick Assist in any of a few ways: +1. Support staff ("helper") starts Quick Assist in any of a few ways: - Type *Quick Assist* in the search box and press ENTER. - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. @@ -93,15 +98,15 @@ Either the support staff or a user can start a Quick Assist session. 3. Helper shares the security code with the user over the phone or with a messaging system. -4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. +4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. -5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**. +5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**. 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. ## If Quick Assist is missing -If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it. +If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. ### Uninstall Quick Assist @@ -121,4 +126,4 @@ If for some reason a user doesn't have Quick Assist on their system or it's not ## Next steps -If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab). +If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332). diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/imcc02.png index 351dad7325..151fa69ed7 100644 Binary files a/windows/deployment/do/images/imcc02.png and b/windows/deployment/do/images/imcc02.png differ diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/imcc10.png index e5da041358..53d2773ce6 100644 Binary files a/windows/deployment/do/images/imcc10.png and b/windows/deployment/do/images/imcc10.png differ diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/imcc11.png index 9ffaac6072..bf45500aba 100644 Binary files a/windows/deployment/do/images/imcc11.png and b/windows/deployment/do/images/imcc11.png differ diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/imcc12.png index fcb5d40a45..d776cb5913 100644 Binary files a/windows/deployment/do/images/imcc12.png and b/windows/deployment/do/images/imcc12.png differ diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/imcc13.png index 3d2a566c8b..feee2d0e9c 100644 Binary files a/windows/deployment/do/images/imcc13.png and b/windows/deployment/do/images/imcc13.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/imcc14.png index 627d496b4c..59dc405046 100644 Binary files a/windows/deployment/do/images/imcc14.png and b/windows/deployment/do/images/imcc14.png differ diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/imcc17.png index ac6b5be124..f6b0ffcad7 100644 Binary files a/windows/deployment/do/images/imcc17.png and b/windows/deployment/do/images/imcc17.png differ diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/imcc18.png index aa818361eb..5b89bfe31a 100644 Binary files a/windows/deployment/do/images/imcc18.png and b/windows/deployment/do/images/imcc18.png differ diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/imcc19.png index 2a70b46b11..ead9d1c383 100644 Binary files a/windows/deployment/do/images/imcc19.png and b/windows/deployment/do/images/imcc19.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/imcc26.png index c46a7e6363..b64e3849dc 100644 Binary files a/windows/deployment/do/images/imcc26.png and b/windows/deployment/do/images/imcc26.png differ diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/imcc27.png index 01076b3ae5..c37713364f 100644 Binary files a/windows/deployment/do/images/imcc27.png and b/windows/deployment/do/images/imcc27.png differ diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/imcc28.png index a7aa7eecd7..cc99b61638 100644 Binary files a/windows/deployment/do/images/imcc28.png and b/windows/deployment/do/images/imcc28.png differ diff --git a/windows/deployment/do/images/imcc29.png b/windows/deployment/do/images/imcc29.png deleted file mode 100644 index 2291487e5b..0000000000 Binary files a/windows/deployment/do/images/imcc29.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/imcc30.png index 8cabce52c8..42301d5c4c 100644 Binary files a/windows/deployment/do/images/imcc30.png and b/windows/deployment/do/images/imcc30.png differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png new file mode 100644 index 0000000000..c40ab0c5c9 Binary files /dev/null and b/windows/deployment/do/images/imcc54.png differ diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/imcc55.PNG new file mode 100644 index 0000000000..2875d4d56e Binary files /dev/null and b/windows/deployment/do/images/imcc55.PNG differ diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index dd4a7afbbc..458c5af1b4 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -1,593 +1,740 @@ --- title: Microsoft Connected Cache for Internet Service Providers (ISPs) -manager: dougeby description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs). -keywords: updates, downloads, network, bandwidth ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro -author: carmenf +ms.technology: windows ms.localizationpriority: medium -ms.author: carmenf +author: amymzhou +ms.author: aaroncz +ms.reviewer: carmenf +manager: dougeby ms.collection: M365-modern-desktop -ms.topic: article +ms.topic: how-to +ms.date: 05/20/2022 --- # Microsoft Connected Cache for Internet Service Providers (ISPs) -**Applies to** +_Applies to_ -- Windows 10 +- Windows 10 - Windows 11 ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. +Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. -Microsoft Connected Cache is a Hybrid (mix of on-prem and cloud resources) solution composed of a Docker compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge (more information on IoT Edge [in the appendix](#iot-edge-runtime)) as a secure and reliable control plane, and even though your scenario is not related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. Azure IoT Edge consists of three components that the Microsoft Connected Cache infrastructure will utilize: - -1. A cloud-based interface that enables secure, remote installation, monitoring, and management of MCC nodes. -2. A runtime that securely manages the modules deployed to each device. -3. Modules/containers that run the MCC functionality on your device. +Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. ## How MCC works -The following steps describe how MCC is provisioned and used. +:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: -1. The Azure Management Portal used to create and manage MCC nodes. -2. The MCC container is deployed and provisioned to the server. -3. The Azure Management Portal is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server by providing two pieces of information: - - The publicly accessible IPv4 address of the server hosting the MCC container. - - The CIDR blocks that represent the client IP address space, which should be routed to the MCC node. -4. Microsoft end-user devices periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft end-user devices make the range requests for content from the MCC node. -6. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will now come from cache. -8. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +The following steps describe how MCC is provisioned and used: - ![MCC overview 1](images/imcc01.png) +1. The Azure Management Portal is used to create and manage MCC nodes. -## ISP Requirements for MCC +2. A shell script is used to provision the server and deploy the MCC application. -1. **Azure subscription**: The MCC management portal is hosted within Azure, and is used to create the Connected Cache Azure resource and IoT Hub resource. Both are free services. +3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + - The publicly accessible IPv4 address of the server is configured on the portal. - The resources used for the preview, and in the future when this product is ready for production, will be completely free to you - like other caching solutions. - - > [!NOTE] - > If you request Exchange or Public peering in the future, business email addresses must be used to register ASN's, because Microsoft does not accept gmail or other non-business email addresses. + - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node. -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35,000 consumer devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node. + + > [!NOTE] + > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. + +4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. + +5. Microsoft clients make the range requests for content from the MCC node. + +6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. + +7. Subsequent requests from end-user devices for content will be served from cache. + +8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. + +## ISP requirements for MCC + +### Azure subscription + +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. + +> [!NOTE] +> If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. + +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. + +The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. + +> [!IMPORTANT] +> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). + +### Hardware to host the MCC + +This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. + +#### Disk requirements -Disk requirements: - SSDs are recommended due to improved cache read speeds of SSD, compared to HDD. - Using multiple disks is recommended to improve cache performance. - RAID disk configurations are discouraged because cache performance will be impacted. If you're using RAID disk configurations, ensure striping. - The maximum number of disks supported is 10. -NIC requirements: -- Multiple NICs on a single MCC instance are not supported. -- 10Gbps NIC is the minimum speed recommended, but any NIC is supported. +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations +The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. + | Component | Minimum | Recommended | | -- | --- | --- | | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
1 drive
2TB each |SSD
2-4 drives
at least 2TB each | -| Memory | 8GB | 32GB or greater | +| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | +| Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | ## Steps to deploy MCC To deploy MCC: -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure): IP address space approval information is required for this step. -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Set up your server](#set-up-a-server-with-sr-or-an-ubuntu) -6. [Install MCC on a physical server or VM](#install-mcc) -7. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -8. [Review the MCC summary report](#verify-server-side) -9. [Review common issues](#common-issues) if needed. +3. [Create a Cache Node](#create-a-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) +5. [Install MCC on a physical server or VM](#install-mcc) +6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) +7. [Review common issues if needed](#common-issues) -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) +For questions regarding these instructions, contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com). -## Provide Microsoft with the Azure Subscription ID +## Provide Microsoft with your Azure subscription ID -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. +As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> [Contact Microsoft](mailto:mccforenterprise@microsoft.com?subject=[MCC%20for%20Enterprise]%20Please%20add%20our%20Azure%20subscription%20to%20the%20allow%20list) and provide your Azure subscription ID if you have not already. You'll not be able to proceed if you skip this step. +> If you haven't already, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). You can't continue if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and cache nodes. -Send email to the MCC team ([msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal, which will allow you to create the resource described below. +Operators who have been given access to the program will be sent a link to the Azure portal, which will allow you to create this resource. -1. Choose **Create a resource** +1. Choose **Create a resource**. - ![eMCC img02](images/imcc02.png) + :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. +1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. +1. Select **Microsoft Connected Cache**. - ![iMCC img03](images/imcc03.png) - ![iMCC img04](images/imcc04.png) + :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: -4. Fill in the required fields to create the MCC resource. + > [!IMPORTANT] + > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US**” for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it is just a limitation of the preview. +1. Select **Create** on the next screen to start the process of creating the MCC resource. - > [!NOTE] - > Your MCC resource will not be created properly if you don't select **(US) West US** + :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: - - Choose a name for the MCC resource. +1. Fill in the following required fields to create the MCC resource: - ![iMCC emg05](images/imcc05.png) + - Choose the **Subscription** that you provided to Microsoft. -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. + - Azure resource groups are logical groups of resources. Create a new **Resource group** and choose a name for it. - ![iMCC img06](images/imcc06.png) + - Choose **(US) West US** for the **Location** of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. -#### Error: Validation failed + > [!NOTE] + > Your MCC resource won't create properly if you don't select **(US) West US**. -- If you get a Validation failed error message on your portal, it is likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. + - Specify a **Connected Cache Resource Name**. - ![iMCC img07](images/imcc07.png) + :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: -### Create an MCC node in Azure +1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. -Creating a MCC node is a multi-step process and the first step is to access the MCC private preview management portal. + :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. +#### Common Resource Creation Errors - ![iMCC img08](images/imcc08.png) +##### Error: Validation failed -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. +If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. - ![iMCC img09](images/imcc09.png) +:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. +##### Error: Could not create Marketplace item -| **Field Name** | **Expected Value** | **Description** | -|-------------------------------|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | -| **Server II Address** | Ipv4 Address | IP address of your MCC server. This is used to route end-user devices in your network to the server for Microsoft content downloads. **The IP address must be publicly accessible.** | -| **Address Range/CIDR Blocks** | IPv4 CIDR notation | IP Address range/CIDR blocks that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24 , 3.22.235.0/24 , 4.23.236.0/24 | -| **Enable Cache Node** | Enable/Disable Radio Button | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | +If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: - ![iMCC img10](images/imcc10.png) +- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. -Hovering your cursor next to each field will populate the details of that field. +- Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - ![iMCC img11](images/imcc11.png) +- If the issue persists, clear your browser cache and start in a new window. -There are two other read-only fields on this page that are populated after the cache node is created: +### Create a MCC node in Azure -| **Field Name** | **Description** | -|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **IP Space** | Number of IP addresses that will be routed to your cache server. | -| **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscripiton ID. | +1. After you successfully create the resource, select **Go to resource**. -5. Enter the information for the Cache Node and click on the Create button. In the screenshot below only the Cache Node Name is provided, but all information can be included if desired. +1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - ![iMCC img12](images/imcc12.png) + :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: - If there are errors the form will provide guidance on how to correct the errors. For example: +1. On the **Cache Nodes** section, select **Create Cache Node**. - - The cache node name is in use in the resource or is an incorrect format. - - If the CIDR block notation or list is incorrect. - - The server IP address or CIDR block are already in use. + :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: - See the following example with all information entered: +1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. - ![iMCC img13](images/imcc13.png) + | Field name | Expected value | Description | + |--|--|--| + | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | + | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | - Once the MCC Node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this doc can be found at the [Install Connected Cache](#install-mcc) section. + :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: - ![iMCC img14](images/imcc14.png) + > [!TIP] + > The information icon next to each field provides a description. + > + > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + + > [!NOTE] + > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + > + > | Field name | Description | + > |--|--| + > | **IP Space** | Number of IP addresses that will be routed to your cache server. | + > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + +1. Enter the information to create the cache node, and then select **Create**. + + :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + +If there are errors, the page gives you guidance on how to correct the errors. For example: + +- The cache node name is already in use in the resource or is an incorrect format. +- The CIDR block notation or list is incorrect. +- The server IP address or CIDR block is already in use. + +See the following example with all information entered: + +:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: + +Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. + +:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval -There are three states for IP address space that are explained in the table below. The preview will require approval from Microsoft CIDR block ranges that contain more than 50,000 IP addresses. In the future, MCC configuration will support BGP and will therefore have automatic routing capabilities. +There are three states for IP address space. MCC configuration supports BGP and has automatic routing capabilities. -| **IP address space status** | **Description** | -|------------------------|------------------------------------| -| **Valid** | The IP address space is below the 50,000 IP address space threshold and the space does not overlap with existing cache nodes. | -| **In Review** | The IP address space exceeds the 50,000 IP address space and is under review with Microsoft to ensure valid IP address space. | -| **Attention Required** | The IP address space has been reviewed and an issue was discovered. Some examples include: IP address space overlap with existing cache node belonging to another customer. IP address space was exceedingly large. Contact Microsoft for more information if your IP address space has this status. | +- **Valid**: The IP address space is approved. -See the following example: +- **In Review**: The IP address space is under review with Microsoft to ensure valid IP address space. -![iMCC img15](images/imcc15.png) +- **Attention Required**: The IP address space has been reviewed and an issue was discovered. For example: -## Edit Cache Node Information + - The IP address space overlaps with an existing cache node that belongs to another customer -IP address or CIDR information can be modified for existing MCC nodes in the portal. + - The IP address space was exceedingly large. -To edit IP address or CIDR information, click on the Cache Node Name which will open the Cache Node Configuration page. Cache nodes can be deleted here by clicking the check box to the left of a Cache Node Name and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. + If your IP address space has this status, contact Microsoft for more information. -![iMCC img16](images/imcc16.png) +:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: -The Server IP Address, Address Range/CIDR Blocks, and Enable Cache Node are all editable as show below: +## Edit cache node information -![iMCC img17](images/imcc17.png) +:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: -## Set up a server with SR or an Ubuntu +To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. As discussed earlier, the recommended configuration (details below) will serve approximately 35,000 consumer devices downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: -| | **Minimum** | **Recommended** | -|-------------|---------------------------------------------|----------------------------------------------------| -| **Server** | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | -| **NIC** | 10 Gbps | 10 Gbps | -| **Disk** | SSD 1 – 2 drives minimum 2 TB each minimum | SSD 2 – 4 drives minimum 2 TB each minimum | -| **Memory** | 8 GB | 32 GB or more | -| **Cores** | 4 | 8 or more | +To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. ## Install MCC -Installing MCC on your physical server or VM is a straightforward process. A Bash script installer performs the following tasks: +To install MCC on your physical server or VM, you use a Bash script installer, which runs the following tasks: -- Azure IoT Edge relies on an OCI-compatible container runtime. The script - will install the Moby engine and CLI. -- Installs IoT Edge. -- Installs SSH to support remote access to the server -- Enables the firewall and opens port 80 for inbound and outbound traffic. Port 80 is used by MCC. -- Configures Connected Cache tuning settings. -- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. -- Deploys the MCC container to server. +- Installs the Moby engine and CLI. +- Installs IoT Edge. +- Installs SSH to support remote access to the server. +- Enables the firewall and opens port 80 for inbound and outbound traffic. The MCC uses port 80. +- Configures Connected Cache tuning settings. +- Creates the necessary free Azure resource: IoT Hub/IoT Edge. +- Deploys the MCC container to the server. > [!IMPORTANT] -> Ensure that port 5000 is open so Microsoft can verify proper functioning of the cache server +> Make sure that the following ports are open so that Microsoft can verify proper functionality of the cache server: +> +> - 80: content delivery +> - 179: BGP session +> - 443: IoT Edge secure communication +> - 5000: (optional) used to view locally running report +> - 5671: IoT Edge communication/container management +> - 8883: IoT Edge communication/container management ### Steps to install MCC -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. +Before you start, make sure that you have a data drive configured on your server. You'll need to specify the location for this cache drive during this process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). - ![iMCC img18](images/imcc18.png) +1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - Files contained in the mccinstaller.zip file: + :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: - - **installmcc.sh** – main installer file. - - **installIotEdge.sh** – Installs the necessary prerequisites like IoT Edge runtime and Docker and makes necessary host OS settings to optimization caching performance. - - **resourceDeploymentForConnectedCache.sh** – Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json** – Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container like cache drives location sizes. + Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: -2. Copy all 4 installation files to your Linux server (physical or VM) + - Diagnostics folder: Used to create diagnostics support bundle. + - **installmcc.sh**: Main installer file. + - **installIotEdge.sh**: Installs the necessary prerequisites. For example, IoT Edge runtime and Docker. It also makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.sh**: Creates Azure cloud resources required to support the MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container. It also configures settings on the container like cache drives location and sizes. + - **mccupdate.json** + - **packagever.txt** + - **uninstallmcc.sh**: Main uninstaller file. + - **updatemcc.sh**: Main update file. -3. Before proceeding, ensure that you have a data drive configured on your server. You'll need to specify the location for this cache drive on step 9. Mimimum size for the data drive is 100GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) +1. Copy all files to your Linux server. -4. Open a terminal and change the access permissions to execute on the **installmcc.sh** Bash script file using chmod. +1. Open a terminal window. Change the access permissions to execute on the **installmcc.sh** Bash script file using `chmod`. ```bash sudo chmod +x installmcc.sh ``` -5. Copy the Bash script line provided and run the Bash script from the terminal. +1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - ![iMCC img19](images/imcc19.png) + :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: -6. You'll be prompted to sign in to the Azure Portal using a device code. +1. Sign in to the Azure portal with a device code. - ![iMCC img20](images/imcc20.png) + :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: -7. You'll be prompted to enter the Azure Container Registry (ACR) password for access to the MCC container. +1. Specify the number of drives to configure. Use an integer value less than 10. - ![iMCC img21](images/imcc21.png) + :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: -8. You'll then be prompted with the number of drives to configure. +1. Specify the location of the cache drives. For example, `/datadrive/` - ![iMCC img22](images/imcc22.png) + :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: -9. The script will prompt for location and size of the cache drives. + > [!IMPORTANT] + > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. + > + > Don't point the cache drive to any of the following locations: + > + > - `.` + > - `./var` + > - `/` + > - `` + > + > Specifying any of these will corrupt the OS, and you'll need to re-install the image again. - ![iMCC img23](images/imcc23.png) +1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. -> [!IMPORTANT] -> The permissions / ownerships on the cache drive location will be changed to everyone via chmod 777
-> **Don't** point the cache drive location to any of the following: “**.**”, “**./var**”, “**/**”, “**\**” + :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: -Specifying any of the directories mentioned above will corrupt the VM and you -will need to provision a new one. +1. Specify whether you have an existing IoT Hub. -![iMCC img24](images/imcc24.png) + - If this process is for your _first MCC deployment_, enter `n`. -1. If this is your first MCC deployment, select “n” when - prompted for an IoT Hub. If this is **not** your first MCC deployment, you - can use an existing IoT hub from your previous MCC installation. After - selecting “Y”, we will display your existing IoT Hubs, you can copy and - paste the resulting IoT Hub name to continue. + - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - ![iMCC img25](images/imcc25.png) + :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: -2. If there are no errors go to the next step. +1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. - - If there are errors, inspect the installer logs which are under /etc/mccresourcecreation/. - - If there were follow the instructions to [Troubleshoot your IoT Edge device(/azure/iot-edge/troubleshoot). + 1. Enter the number of BGP neighbors you want to configure. + 1. Enter the IP address for the neighbor. + 1. Enter the ASN corresponding to that neighbor. This value should be the same ASN as the MCC -iBGP connection. + 1. Repeat these steps for each neighbor you need to configure. -## Verify Proper Functioning MCC Server + > [!NOTE] + > With the BGP configuration, you're essentially setting up an iBGP neighbor in your public ASN. For example, when you initiate the BGP session from the router to the cache node, you would use your own ASN. + +1. BGP is now configured from the MCC side. From your end, establish a neighborship from your router to MCC's host machine. Use the IP address of the host machine that's running the MCC container. + + 1. Make sure there aren't any firewall rules blocking this connection. + 1. Verify that the BGP connection has been established and that you're advertising routes to the MCC. + 1. Wait five minutes to refresh the cache node page in the Azure portal to see the BGP routes. + +1. Confirm the update is complete by running the following command. + + ```bash + sudo iotedge list + ``` + + Make sure MCC is running on the latest version. If you only see **edgeAgent** and **edgeHub**, wait five minutes and run this command again. + +1. Make sure MCC is reachable. Replace `` with the IP address of your MCC or localhost. + + ```bash + wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com + ``` + +1. After you successfully complete the update, go to the Azure portal. To check the routes being reported, select **Download JSON**. + +1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. + + :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + + +1. If there are no errors, go to the next section to verify the MCC server. + + If there are errors: + + - Inspect the installer logs, which are in the following path: `/etc/mccresourcecreation/` + + - For more information, see [Troubleshoot your IoT Edge device](/azure/iot-edge/troubleshoot). + +## Verify properly functioning MCC server ### Verify client side -Sign in to the Connected Cache server or ssh and run the following command from a terminal to see the running modules (containers): +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): ```bash -sudo iotedge list​ +sudo iotedge list ``` -![iMCC img26](images/imcc26.png) +:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: -If **edgeAgent** and **8edgeHub** containers are listed, but not “MCC”, you may view the status of the IoTEdge security manager using the command: +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command provides the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -![iMCC img27](images/imcc27.png) +:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: ### Verify server side It can take a few minutes for the container to deploy. -For a validation of properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace \ with the IP address of the cache server. +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. ```bash wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com ``` -A successful test result will look like this: +The following screenshot shows a successful test result: -![iMCC img28](images/imcc28.png) +:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: -Similarly, enter the following URL into a web browser on the network: +Similarly, enter the following URL into a web browser on any device on the network: ```http http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com ``` -If the test fails, see the [common issues](#common-issues) section below for more information. +If the test fails, for more information, see the [common issues](#common-issues) section. ## Common Issues > [!NOTE] -> Consult the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot) for any issues you may encounter configuring IoT Edge. A few common issues are listed below. +> This section only lists common issues. For more information on additional issues you may encounter when configuring IoT Edge, see the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot). -Use the following command to check the IoT Edge Journal: +Use the following command to check the IoT Edge journal: ```bash -sudo journalctl -u iotedge –f +sudo journalctl -u iotedge -f ``` -## DNS needs to be configured +### DNS needs to be configured -Run the following IoT Edge setup/install state check: +Run the following IoT Edge install state check: ```bash sudo iotedge check --verbose ``` -If you see issues with ports 5671, 443, and 8883 similar to the screenshot below, it means that your IoT Edge device needs to update the DNS for Docker. +If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker. -![iMCC img29](images/imcc29.png) +To configure the device to work with your DNS, use the following steps: -Follow the steps below to configure the device to work with your DNS: - -1. Use ifconfig to find appropriate NIC adapter name. +1. Use `ifconfig` to find the appropriate NIC adapter name. ```bash - ifconfig​ + ifconfig ``` -2. Run nmcli device show \ to show you the DNS name for Ethernet adapter. For example to show DNS - information for eno1: + +1. Run `nmcli device show ` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**: ```bash nmcli device show eno1 - ``` - - ![iMCC img30](images/imcc30.png) - -3. Open/create the Docker configuration file used to configure the DNS server - - ```bash - sudo nano /etc/docker/daemon.json​ ``` -4. Paste the following into the daemon.json file (In the example above IP4.DNS[1] is used) + :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + +1. Open or create the Docker configuration file used to configure the DNS server. + + ```bash + sudo nano /etc/docker/daemon.json + ``` + +1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`. ```bash { "dns": ["x.x.x.x"]} ``` -5. Save the file changes to daemon.json. **Note**: You might need to change permissions on this file. For example: + +1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command: ```bash - sudo chmod 555 /etc/docker/daemon.json​ + sudo chmod 555 /etc/docker/daemon.json ``` -6. Restart Docker (to pick up the new DNS) and restart IoTEdge - +1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge. + ```bash - sudo systemctl restart dockersudo systemctl daemon-reloadsudo restart IoTEdge + sudo systemctl restart docker + sudo systemctl daemon-reload + sudo restart IoTEdge ``` -## Diagnostics Script +### Diagnostics script -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. +If you're having issues with your MCC, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file. You can then email these logs to Microsoft. -To run this script: +To run the script: -1. Navigate to the following folder in the MCC installation files: +1. Navigate to the following folder in the MCC installation files: -**mccinstaller** \> **MccResourceInstall** \> **Diagnostics** + `mccinstaller > MccResourceInstall > Diagnostics` -2. Run the following commands: +1. Run the following commands: ```bash sudo chmod +x collectMccDiagnostics.sh sudo ./collectMccDiagnostics.sh ``` -3. The script stores all the debug files into a folder and the creates a tar file. After the script is finished running, it will output the path of the tar file that you can share with the MCC team. The file should be **/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz**. -4. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. +1. The script stores all the debug files into a folder and creates a tar file. After the script is finished running, it displays the path of the tar file that you can share with the MCC team. The file should be `/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz` + +1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. ## Updating your MCC -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. +Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. -Run the following commands with the **arguments** we provided in the email to update your MCC: +Run the following commands, replacing the variables with the values provided in the email to update your MCC: ```bash sudo chmod +x updatemcc.sh sudo chmod +x installIoTEdge.sh -sudo ./updatemcc.sh version="\<**VERSION**\>" tenantid="\<**TENANTID**\>" customerid="\<**CUSTOMERID**\>" cachenodeid="\<**CACHENODEID**\>" customerkey="\<**CUSTOMERKEY**\>" +sudo ./updatemcc.sh version="" tenantid="" customerid="" cachenodeid="" customerkey="" ``` For example: + ```bash -sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa” +sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa" ``` +### Configure BGP on an Existing MCC + +If you have a MCC that's already active and running, follow the steps below to configure BGP. + +1. Run the Update commands as described above. + +1. Sign in with your Azure credentials using the device code. + +1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). + ## Uninstalling MCC -In the zip file, you'll find the file **uninstallmcc.sh** which uninstalls MCC and all the related components. Please contact the MCC Team before running this script and only run this script if you're facing issues with MCC installation. **Exercise caution before running this script as existing IoT workflows in this VM will also be erased.** +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls MCC and all the related components. Before you run this script, contact the MCC team. Only run it if you're facing issues with MCC installation. -The **uninstallmcc.sh** script will remove the following: +> [!WARNING] +> Be cautious before running this script. It will also erase existing IoT workflows in this VM. + +The **uninstallmcc.sh** script removes the following components: - IoT Edge - Edge Agent - Edge Hub - MCC - Moby CLI -- Moby Engine +- Moby engine -To run the script, enter the following commands: +To run the script, use the following commands: ```bash sudo chmod +x uninstallmcc.sh sudo ./uninstallmcc.sh ``` + ## Appendix -### Steps to obtain an Azure Subscription ID +### Steps to obtain an Azure subscription ID -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you don't see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. +1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. -### Performance of MCC in Hypervisor environments +2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. -We have observed in hypervisor environments the cache server peak egress at around 1.1 Gbps. If you wish to maximize the egress in hypervisor environments it is critical to make two settings changes. +3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. -1. Enable **SR-IOV** in the BIOS AND enable **SR-IOV** in the NIC properties, and finally, enable **SR-IOV** in the hypervisors for the MCC VM. Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. +4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. -2. Enable “high performance” in the BIOS as opposed to energy savings. Microsoft has found this setting nearly doubled egress a Microsoft Hyper-V deployment. +5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. + +6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. + +### Performance of MCC in virtual environments + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change the following two settings: + +1. Enable **SR-IOV** in the following three locations: + + - The BIOS of the MCC VM + - The MCC VM's network card properties + - The hypervisor for the MCC VM + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable "high performance" in the BIOS instead of energy savings. Microsoft has found this setting nearly doubled egress in a Microsoft Hyper-V deployment. + +### Grant other users access to manage your MCC + +More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. + +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. ### Setting up a VM on Windows Server You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an Ubuntu VM. The following steps describe how to set up a VM on Hyper-V. -1. Download the ISO. You can use either Ubuntu Desktop or Ubuntu Server. +1. Download the ISO. You can use either Ubuntu Desktop or Ubuntu Server. - 1. [Download Ubuntu Desktop](https://ubuntu.com/download/desktop) - 2. [Download Ubuntu Server](https://mirror.cs.jmu.edu/pub/ubuntu-iso/20.04.2/ubuntu-20.04.2-live-server-amd64.iso) + - [Download Ubuntu Desktop](https://ubuntu.com/download/desktop) + - [Download Ubuntu Server](https://mirror.cs.jmu.edu/pub/ubuntu-iso/20.04.2/ubuntu-20.04.2-live-server-amd64.iso) -2. Start the **New Virtual Machine Wizard**, give your VM a name, and choose a location. - - ![iMCC img31](images/imcc31.png) - ![iMCC img32](images/imcc32.png) +1. Start the **New Virtual Machine Wizard** in Hyper-V. -3. Choose a **Generation 2** VM, and specify the startup memory. You can't change the VM generation 2 later. - - ![iMCC img33](images/imcc33.png) - ![iMCC img34](images/imcc34.png) + :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: -4. Choose the network adapter. - - ![iMCC img35](images/imcc35.png) +1. Specify a name and choose a location. -5. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. That example below allocates one terabyte. - - ![iMCC img36](images/imcc36.png) + :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: -6. Install from the ISO for Ubuntu 20.04 LTS that you downloaded. - - ![iMCC img37](images/imcc37.png) +1. Select **Generation 2**. You can't change this setting later. -7. Finish the creation of the Ubuntu VM. - - ![iMCC img38](images/imcc38.png) + :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: -8. Before you start the Ubuntu VM make sure secure boot is **disabled** and that you have allocated multiple cores to the VM. The example below has allocated 12, but your configuration may vary. - - ![iMCC img39](images/imcc39.png) - ![iMCC img40](images/imcc40.png) - ![iMCC img41](images/imcc41.png) +1. Specify the startup memory. -9. Start the VM and choose the option that will Install Ubuntu. Choose your default language. - - ![iMCC img42](images/imcc42.png) - ![iMCC img43](images/imcc43.png) + :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: -10. Choose the options you wish for installing updates and third party hardware. In the example below, we have chosen to download updates and install - third party software drivers. - - ![iMCC img44](images/imcc44.png) +1. Choose the network adapter connection. -11. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. Choose your time zone, and keyboard layout. - - ![iMCC img45](images/imcc45.png) - ![iMCC img46](images/imcc46.png) - ![iMCC img47](images/imcc47.png) - ![iMCC img48](images/imcc48.png) + :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: -12. Choose your username, a name for your computer, and a password. Remember, everything is case sensitive in Linux. You'll be asked to reboot in order to complete the installation. - - ![iMCC img49](images/imcc49.png) - ![iMCC img50](images/imcc50.png) +1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. -13. **Important**: When prompted with the option to upgrade, decline. + :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: - ![iMCC img51](images/imcc51.png) - ![iMCC img52](images/imcc52.png) +1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. -Your Ubuntu VM should now be ready to [Install MCC](#install-mcc). + :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + +1. Review the settings and select **Finish** to create the Ubuntu VM. + + :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + +1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. + + 1. In Hyper-V Manager, open the **Settings** for the VM. + + :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + + 1. Select **Security**. Disable the option to **Enable Secure Boot**. + + :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + + 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. + + :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + +1. Start the VM and select **Install Ubuntu**. + + :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + +1. Choose your default language. + + :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + +1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. + +1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. + + :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + + Review the warning about writing changes to disk, and select **Continue**. + + :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + +1. Choose the time zone. + + :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + +1. Choose the keyboard layout. + + :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + +1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. + + > [!TIP] + > Everything is case sensitive in Linux. + + :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + +1. To complete the installation, select **Restart now**. + + :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + +1. After the computer restarts, sign in with the username and password. + + > [!IMPORTANT] + > If it shows that an upgrade is available, select **Don't upgrade**. + > + > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + +Your Ubuntu VM is now ready to [Install MCC](#install-mcc). ### IoT Edge runtime -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. The runtime sits on the IoT Edge device, and performs management and communication operations. The runtime performs several functions: +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. The runtime sits on the IoT Edge device, and does management and communication operations. The runtime does the following functions: -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote - monitoring. -- Manages communication between an IoT Edge device and the cloud. +- Installs and updates workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Makes sure that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Also see +## Related articles + +[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) -[Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md)
[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index febbb80275..af0aa65af5 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -40,7 +40,7 @@ The features described below are no longer being actively developed, and might b | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | -| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | +| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
 
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
 
PSR was removed in Windows 11.| 1909 | | XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 66754be796..db7379ba1f 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server | Attribute | Value | | :--: | :--: | -| Well-Known SID/RID | | -|Object Class| | +| Well-Known SID/RID | S-1-5-90 | +|Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
| diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f5c9ad4cbf..a5041cd575 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -26,6 +26,7 @@ ms.custom: - Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 ## Enable Windows Defender Credential Guard @@ -204,9 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. + - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 3843fecaa8..b964f460e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -44,6 +44,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +> [!NOTE] +> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users. + ### Section Review > [!div class="checklist"] @@ -63,4 +66,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f54986956f..2bfe923e1c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -265,7 +265,7 @@ The account options on a user account includes an option -- **Smart card is requ **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: -- the do not know their password. +- they do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index f5f495064d..a7b6b17446 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -12,7 +12,6 @@ manager: kaushika audience: ITPro ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/7/2019 ms.custom: bitlocker --- @@ -36,7 +35,11 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy 1. Open an elevated Command Prompt window and run the following command: ```cmd - manage-bde protectors get + manage-bde -protectors -get + ``` + + ```cmd + manage-bde -protectors -get C: ``` where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive. @@ -86,4 +89,4 @@ For more information about DHCP and BitLocker Network Unlock, see [BitLocker: Ho ### Resolution -To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. \ No newline at end of file +To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index aa92e85a9c..cb4136a227 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -17,45 +17,10 @@ metadata: ms.topic: faq ms.date: 11/10/2021 ms.technology: mde + title: Advanced security auditing FAQ -summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - - - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - - - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - - - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) - - - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) - - - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) - - - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) - - - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) - - - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) - - - [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) - - - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) - - - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) - - - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) - - - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) - - - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) - - - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) - - - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) - +summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. sections: - name: Ignored diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..eaaf841ead 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,12 +14,18 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 04/30/2022 +ms.date: 05/09/2022 ms.technology: windows-sec --- # Understanding Application Control events +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and later (limited events) + A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index 8024e0f03b..c48dac6be9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -15,7 +15,6 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.topic: conceptual -ms.date: 10/14/2020 ms.technology: windows-sec --- @@ -30,26 +29,26 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. +The Windows Defender Application Control (WDAC) policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the wizard and PowerShell cmdlets is identical. ## Downloading the application -The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). +The WDAC wizard can be downloaded from the official [WDAC Wizard installer website](https://webapp-wdac-wizard.azurewebsites.net) as an MSIX packaged application. The wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). **Supported Clients** -As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: +As the WDAC wizard uses the cmdlets in the background, the wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: - Windows builds 1909+ - For pre-1909 builds, the Enterprise SKU of Windows is installed -If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available. +If neither requirement is satisfied, the wizard will throw an error as the cmdlets are not available. -## In this section +## Resources to learn more | Topic | Description | | - | - | | [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. | | [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. | -| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. | -| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. | \ No newline at end of file +| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the wizard's editing capabilities. | +| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |