From cce13d6a47c9f5f106bb53576b3d764307217cd3 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:35:44 +0530 Subject: [PATCH 01/17] Updated-6247330 Converted DO FAQ to YAML and added to the TOC. --- windows/deployment/do/TOC.yml | 4 +- ... => waas-delivery-optimization-faq-old.md} | 0 .../update/waas-delivery-optimization-faq.yml | 105 ++++++++++++++++++ 3 files changed, 108 insertions(+), 1 deletion(-) rename windows/deployment/update/{waas-delivery-optimization-faq.md => waas-delivery-optimization-faq-old.md} (100%) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.yml diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ba824d08fb..5a0793025d 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -7,7 +7,9 @@ href: waas-delivery-optimization.md - name: What's new href: whats-new-do.md - + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.md rename to windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/update/waas-delivery-optimization-faq.yml new file mode 100644 index 0000000000..956bf2799c --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.yml @@ -0,0 +1,105 @@ +### YamlMime:FAQ +metadata: + title: Delivery Optimization Frequently Asked Questions + description: The following is a list of frequently asked questions for Delivery Optimization. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: aaroncz + ms.prod: m365-security + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: carmenf + ms.author: carmenf + manager: dougeby + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 08/04/2022 + ms.custom: seo-marvel-apr2020 +title: Delivery Optimization Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + + +sections: + - name: Ignored + questions: + - question: Does Delivery Optimization work with WSUS? + answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + + - question: Which ports does Delivery Optimization use? + answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + + - question: What are the requirements if I use a proxy? + answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + + - question: What hostnames should I allow through my firewall to support Delivery Optimization? + answer: | + **For communication between clients and the Delivery Optimization cloud service**: + + - `*.do.dsp.mp.microsoft.com` + + **For Delivery Optimization metadata**: + + - `*.dl.delivery.mp.microsoft.com` + - `*.emdl.ws.microsoft.com` + + **For the payloads (optional)**: + + - `*.download.windowsupdate.com` + - `*.windowsupdate.com` + + **For group peers across multiple NATs (Teredo)**: + + - `win1910.ipv6.microsoft.com` + + - question: Does Delivery Optimization use multicast? + answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + + - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + - question: How does Delivery Optimization handle VPNs? + answer: | + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + + If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + + With split tunneling, make sure to allow direct access to these endpoints: + + Delivery Optimization service endpoint: + + - `https://*.prod.do.dsp.mp.microsoft.com` + + Delivery Optimization metadata: + + - `http://emdl.ws.microsoft.com` + - `http://*.dl.delivery.mp.microsoft.com` + + Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + + - `http://*.windowsupdate.com` + - `https://*.delivery.mp.microsoft.com` + - `https://*.update.microsoft.com` + - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + + For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + + - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + answer: | + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + + > [!NOTE] + > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + From 79fd24833da09dc0a528b0761fda5e98dc1db312 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:43:38 +0530 Subject: [PATCH 02/17] Updated-6247330 File path updated. --- .../deployment/{update => do}/waas-delivery-optimization-faq.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/{update => do}/waas-delivery-optimization-faq.yml (100%) diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.yml rename to windows/deployment/do/waas-delivery-optimization-faq.yml From c31abe9f41b951afc2dc1995aabf55c657bb4242 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:01:01 +0530 Subject: [PATCH 03/17] Updated-6247330 Updated links to address PR Warnings. --- windows/deployment/do/TOC.yml | 2 +- windows/deployment/do/delivery-optimization-endpoints.md | 2 +- windows/deployment/do/index.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 30533f66b8..72ef0f8a71 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -19,7 +19,7 @@ - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - name: Windows Delivery Optimization Frequently Asked Questions - href: ../update/waas-delivery-optimization-faq.md + href: ../do/waas-delivery-optimization-faq.yml - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index da591eeadd..984e7fd026 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -33,5 +33,5 @@ This article lists the endpoints that need to be allowed through the firewall to | *.statics.teams.cdn.office.net | HTTP / 80
HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | -| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index a2db6aedca..85d6ee2703 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -49,7 +49,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: ../update/waas-delivery-optimization-faq.md + url: ../do/waas-delivery-optimization-faq.yml - text: Submit feedback url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332 From e0a893a2d91929c1107e89b73a5b5e71c9bfc231 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:14:25 +0530 Subject: [PATCH 04/17] Updated-6247330 Indentation changes made to separate sentences in the paragraph. --- windows/deployment/do/waas-delivery-optimization-faq.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 956bf2799c..0fe613a87a 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -33,11 +33,12 @@ sections: answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - question: Which ports does Delivery Optimization use? - answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + answer: | + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - question: What are the requirements if I use a proxy? answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). @@ -62,6 +63,8 @@ sections: - `win1910.ipv6.microsoft.com` + For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + - question: Does Delivery Optimization use multicast? answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. From 32faa3e016f2c2d0d4e4b72e3d4c51edf71cf8d4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:01:44 +0530 Subject: [PATCH 05/17] Updated-6247330 Redirection file updated. --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 798ab55b18..46855dc966 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19589,6 +19589,11 @@ "source_path": "windows/whats-new/contribute-to-a-topic.md", "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", + "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", + "redirect_document_id": false } ] } From f0cfa7f2509fc65e0d784e46e4541d2dd7d767ca Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:20:54 +0530 Subject: [PATCH 06/17] Updated-6247330 Deleting the old file. --- .../waas-delivery-optimization-faq-old.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq-old.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq-old.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 7d5a767df347a85b9d530a2ccc1d52121b567c22 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:29:29 +0530 Subject: [PATCH 07/17] Updated-6247330 Adding the file again and renaming it to its original name so that we can delete it in the next update to match the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md new file mode 100644 index 0000000000..e7787d0b50 --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.md @@ -0,0 +1,101 @@ +--- +title: Delivery Optimization Frequently Asked Questions +ms.reviewer: aaroncz +manager: dougeby +description: The following is a list of frequently asked questions for Delivery Optimization. +ms.prod: w10 +author: carmenf +ms.localizationpriority: medium +ms.author: carmenf +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Delivery Optimization Frequently Asked Questions + +**Applies to** + +- Windows 10 +- Windows 11 + +## Does Delivery Optimization work with WSUS? + +Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + +## Which ports does Delivery Optimization use? + +Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + +Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + +Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + +## What are the requirements if I use a proxy? + +For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + +## What hostnames should I allow through my firewall to support Delivery Optimization? + +**For communication between clients and the Delivery Optimization cloud service**: + +- `*.do.dsp.mp.microsoft.com` + +**For Delivery Optimization metadata**: + +- `*.dl.delivery.mp.microsoft.com` +- `*.emdl.ws.microsoft.com` + +**For the payloads (optional)**: + +- `*.download.windowsupdate.com` +- `*.windowsupdate.com` + +**For group peers across multiple NATs (Teredo)**: + +- `win1910.ipv6.microsoft.com` + +For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + +## Does Delivery Optimization use multicast? + +No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + +## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + +Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + +## How does Delivery Optimization handle VPNs? + +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + +With split tunneling, make sure to allow direct access to these endpoints: + +Delivery Optimization service endpoint: + +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: + +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + +## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + +Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + +> [!NOTE] +> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From feff2389e3919fd4a89a9429d514975595707ca4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:34:49 +0530 Subject: [PATCH 08/17] Updated-6247330 Deleted the original file to align with the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 303c0d6e3b286248e10024f907fe1a5f82a3b9d1 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Fri, 5 Aug 2022 11:56:54 -0700 Subject: [PATCH 09/17] 0xC00000BB -included for KDC support error 0xC00000BB -included for KDC support error --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 631d982e36..592e53bc19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,6 +70,8 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| + ## Errors with unknown mitigation From 2cd104786fe314676895586e3c5050ad934dea04 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 12:59:38 -0700 Subject: [PATCH 10/17] New Changes made at tenant enrollment. --- windows/deployment/windows-autopatch/TOC.yml | 2 + .../windows-autopatch-enroll-tenant.md | 3 + .../windows-autopatch-changes-to-tenant.md | 161 ++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..b61273493f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -79,6 +79,8 @@ href: operate/windows-autopatch-wqu-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md + - name: Changes made at tenant enrollment + href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 99940fe13f..7ff9f212c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s Once these actions are complete, you've now successfully enrolled your tenant. +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + ### Delete data collected from the Readiness assessment tool You can choose to delete the data we collect directly within the Readiness assessment tool. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..c6f60baec9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,161 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/04/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 11
| +| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 10
| +| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | +| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | +| Modern Workplace Service - Intune Admin All | Group for Intune Admins

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service - Intune Reader All | Group for Intune readers

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users

Assigned to:

  • Modern Workplace Service Accounts
| +| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts | +| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | + +## Windows Autopatch enterprise applications + +Enterprise applications are applications (software) that a business uses to do its work. + +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ------ | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.Read.Write.All
| + +> [!NOTE] +> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. + +## Windows Autopatch cloud service accounts + +Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls. + +> [!NOTE] +> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition. + +| Cloud service account name | Usage | Mitigating controls | +| ----- | ----- | ------ | +| MsAdmin@tenantDomain.onmicrosoft.com |
  • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.
  • This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.
| Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
  • This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.
  • This account is used for interactive sign-in to the customers’ tenant.
  • The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
    • |
    • Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.
    • Audited sign-ins
    | +| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | + +## Device configuration policies + +- Modern Workplace - Set MDM to Win Over GPO +- Modern Workplace - Telemetry Settings for Windows 10 +- Modern Workplace - Telemetry Settings for Windows 11 +- Modern Workplace-Window Update Detection Frequency +- Modern Workplace - Data Collection + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | | | +| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 | +| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    • 3
    • 1
    • 1
    • 1
      • | +| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | | | + +## Update rings for Windows 10 and later + +- Modern Workplace Update Policy [Test]-[Windows Autopatch] +- Modern Workplace Update Policy [First]-[Windows Autopatch] +- Modern Workplace Update Policy [Fast]-[Windows Autopatch] +- Modern Workplace Update Policy [Broad]-[Windows Autopatch] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      |
      • QualityUpdatesDeferralPeriodInDays
      • FeatureUpdatesDeferralPeriodInDays
      • FeatureUpdatesRollbackWindowInDays
      • BusinessReadyUpdatesOnly
      • AutomaticUpdateMode
      • InstallTime
      • DeadlineForFeatureUpdatesInDays
      • DeadlineForQualityUpdatesInDays
      • DeadlineGracePeriodInDays
      • PostponeRebootUntilAfterDeadline
      • DriversExcluded
      |
      • 0
      • 0
      • 30
      • All
      • WindowsDefault
      • 3
      • 5
      • 0
      • 0
      • False
      • False
        • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-First
        |
        • QualityUpdatesDeferralPeriodInDays
        • FeatureUpdatesDeferralPeriodInDays
        • FeatureUpdatesRollbackWindowInDays
        • BusinessReadyUpdatesOnly
        • AutomaticUpdateMode
        • InstallTime
        • DeadlineForFeatureUpdatesInDays
        • DeadlineForQualityUpdatesInDays
        • DeadlineGracePeriodInDays
        • PostponeRebootUntilAfterDeadline
        • DriversExcluded
        |
        • 1
        • 0
        • 30
        • All
        • WindowsDefault
        • 3
        • 5
        • 2
        • 2
        • False
        • False
          • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-Fast
          |
          • QualityUpdatesDeferralPeriodInDays
          • FeatureUpdatesDeferralPeriodInDays
          • FeatureUpdatesRollbackWindowInDays
          • BusinessReadyUpdatesOnly
          • AutomaticUpdateMode
          • InstallTime
          • DeadlineForFeatureUpdatesInDays
          • DeadlineForQualityUpdatesInDays
          • DeadlineGracePeriodInDays
          • PostponeRebootUntilAfterDeadline
          • DriversExcluded
          |
          • 6
          • 0
          • 30
          • All
          • WindowsDefault
          • 3
          • 5
          • 2
          • 2
          • False
          • False
            • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Broad
            |
            • QualityUpdatesDeferralPeriodInDays
            • FeatureUpdatesDeferralPeriodInDays
            • FeatureUpdatesRollbackWindowInDays
            • BusinessReadyUpdatesOnly
            • AutomaticUpdateMode
            • InstallTime
            • DeadlineForFeatureUpdatesInDays
            • DeadlineForQualityUpdatesInDays
            • DeadlineGracePeriodInDays
            • PostponeRebootUntilAfterDeadline
            • DriversExcluded
            |
            • 9
            • 0
            • 30
            • All
            • WindowsDefault
            • 3
            • 5
            • 5
            • 2
            • False
            • False
              • | + +## Feature update policies + +- Modern Workplace DSS Policy [Test] +- Modern Workplace DSS Policy [First] +- Modern Workplace DSS Policy [Fast] +- Modern Workplace DSS Policy [Broad] +- Modern Workplace DSS Policy [Windows 11] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
              • Modern Workplace Devices-Windows Autopatch-Test

              Exclude from:
              • Modern Workplace - Windows 11 Pre-Release Test Devices
              | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
              • Modern Workplace Devices-Windows Autopatch-First
              • Modern Workplace - Windows 11 Pre-Release Test Devices
                • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Fast

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Broad

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | + +## Microsoft Office update policies + +- Modern Workplace - Office ADMX Deployment +- Modern Workplace - Office Configuration v5 +- Modern Workplace - Office Update Configuration [Test] +- Modern Workplace - Office Update Configuration [First] +- Modern Workplace - Office Update Configuration [Fast] +- Modern Workplace - Office Update Configuration [Broad] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Office ADMX Deployment | ADMX file for Office

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace Devices-Windows Autopatch-Fast
                • Modern Workplace Devices-Windows Autopatch-Broad
                | | | +| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace Devices-Windows Autopatch-Fast
                • Modern Workplace Devices-Windows Autopatch-Broad
                | | | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                |
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 0
                • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-First
                |
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 0
                • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Fast
                |
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                |
              • Enabled; L_UpdateDeadlineID == 7
              • Enabled; L_DeferUpdateDaysID == 3
                • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Broad
                  • |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 7
                  • | + +## Microsoft Edge update policies + +- Modern Workplace - Edge Update ADMX Deployment +- Modern Workplace - Edge Update Channel Stable +- Modern Workplace - Edge Update Channel Beta + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | + +## Conditional access policies + +> [!NOTE] +> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition. + +| Conditional access policy | Description | +| ----- | ----- | +| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. | + +## PowerShell scripts + +| Script | Description | +| ----- | ----- | +| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | From f7abc21ecd6e321673444fa36a8bddbfa52050c5 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:05:25 -0700 Subject: [PATCH 11/17] Updated date. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index c6f60baec9..e9941f8432 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 08/04/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: reference From a6a4c4d22188d334582043dd061c49b608fbb032 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:13:03 -0700 Subject: [PATCH 12/17] Removed OMA column from Feature updates section. --- .../windows-autopatch-changes-to-tenant.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index e9941f8432..d6571ae47a 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -107,13 +107,13 @@ Windows Autopatch will create three cloud service accounts in your tenant. These - Modern Workplace DSS Policy [Broad] - Modern Workplace DSS Policy [Windows 11] -| Policy name | Policy description | OMA | Value | -| ----- | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Test

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | -| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                    • | -| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Fast

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | -| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Broad

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | +| Policy name | Policy description | Value | +| ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Test

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                      • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Fast

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Broad

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | ## Microsoft Office update policies From aff5e19ba964adffdf0adf63b487e4a84b26c427 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:28:44 -0700 Subject: [PATCH 13/17] Getting rid of the strikethrough because of the double tilde. --- .../windows-autopatch-changes-to-tenant.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index d6571ae47a..62a9d46a41 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -128,10 +128,10 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | ----- | ----- | ----- | ----- | | Modern Workplace - Office ADMX Deployment | ADMX file for Office

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      | | | | Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace Devices-Windows Autopatch-Fast
                      • Modern Workplace Devices-Windows Autopatch-Broad
                      | | | -| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Test
                      |
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                      |
                    • Enabled; L_UpdateDeadlineID == 7
                    • Enabled; L_DeferUpdateDaysID == 0
                      • | -| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-First
                      |
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                      |
                    • Enabled; L_UpdateDeadlineID == 7
                    • Enabled; L_DeferUpdateDaysID == 0
                      • | -| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Fast
                      |
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                      • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                      |
                    • Enabled; L_UpdateDeadlineID == 7
                    • Enabled; L_DeferUpdateDaysID == 3
                      • | -| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                      Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Broad
                        • |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 7
                        • | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        |
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-First
                        |
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Fast
                        |
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                        • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 3
                        • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                        Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad
                          • |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 7
                          • | ## Microsoft Edge update policies @@ -142,8 +142,8 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | Policy name | Policy description | OMA | Value | | ----- | ----- | ----- | ----- | | Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          • Modern Workplace Devices-Windows Autopatch-First
                          • Modern Workplace Devices-Windows Autopatch-Fast
                          • Modern Workplace Devices-Windows Autopatch-Broad
                          | | | -| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-First
                          • Modern Workplace Devices-Windows Autopatch-Fast
                          • Modern Workplace Devices-Windows Autopatch-Broad
                          | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | -| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-First
                          • Modern Workplace Devices-Windows Autopatch-Fast
                          • Modern Workplace Devices-Windows Autopatch-Broad
                          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | ## Conditional access policies From 74f44b006ef044092184ea1c012118bac892ae94 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 8 Aug 2022 12:37:50 -0400 Subject: [PATCH 14/17] Update hello-errors-during-pin-creation.md updated the description, fixing minor issues --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 592e53bc19..d7987dc9bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,7 +70,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| From ab39b0047c32ff3ad5a9b3d71db48e5a2a02a5d2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:02:50 -0400 Subject: [PATCH 15/17] Cherry pick Changes for #9917 --- ...e-logon-message-text-for-users-attempting-to-log-on.md | 6 ++---- ...-logon-message-title-for-users-attempting-to-log-on.md | 8 +++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2f384a46fc..09e60e2f2b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive Logon Message text (Windows 10) description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in to the server console. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index ab20a8f979..b16fd3bff2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. -The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in the server console. @@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th ### Best practices -1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values: +1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: - RESTRICTED SYSTEM From 6c37b3f420866c66367d6998c17feef6fa214327 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Mon, 8 Aug 2022 23:09:11 +0530 Subject: [PATCH 16/17] Updated-6247330 Redirection file entry updated to resolve validation error. --- .openpublishing.redirection.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bdc9f68fb9..afe30ff75b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19594,6 +19594,7 @@ "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", "redirect_document_id": false + }, { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", From 4536c4f0fe229a5c9117ca6864c00c2cd6122567 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 8 Aug 2022 12:50:26 -0700 Subject: [PATCH 17/17] Aligning TOC name with article name. --- windows/deployment/windows-autopatch/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..ecc4111a9c 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -35,7 +35,7 @@ - name: Operate href: operate/index.md items: - - name: Update management + - name: Software update management href: operate/windows-autopatch-update-management.md items: - name: Windows updates