deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-08 18:47:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #10915 from MicrosoftDocs/main
Some checks failed
(Scheduled) Publish to live / auto-publish (push) Has been cancelled
Details
(Scheduled) Mark stale pull requests / stale (push) Has been cancelled
Details

Browse Source 
[AutoPublish] main to live - 06/04 15:32 PDT | 06/05 04:02 IST
This commit is contained in:
Ruchika Mittal 2025-06-05 04:10:14 +05:30 committed by GitHub
commit b6e6c58245
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
293 changed files with 1053 additions and 1015 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
education/docfx.json
View File

@ -37,7 +37,7 @@
"ms.service": "windows-client",
"author": "paolomatarazzo",
"ms.author": "paoloma",
"manager": "aaroncz",
"manager": "bpardi",
"ms.localizationpriority": "medium",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
@ -53,12 +53,12 @@
"contributors_to_exclude": [
"dstrome2",
"rjagiewich",
"American-Dipper",
"American-Dipper",
"claydetels19",
"jborsecnik",
"v-stchambers",
"shdyas",
"Stacyrch140",
"Stacyrch140",
"garycentric",
"dstrome",
"padmagit77",

12
education/includes/winse-eos.md Normal file
View File

@ -0,0 +1,12 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 06/04/2025
ms.topic: include
ms.service: windows-client
---
> [!IMPORTANT]
> **Support for Windows 11 SE will end in October 2026**
>
> Microsoft will not release a feature update after Windows 11 SE, version 24H2. Support for Windows 11 SE—including software updates, technical assistance, and security fixes—will end in October 2026. While your device will continue to work, we recommend transitioning to a device that supports another edition of Windows 11 to ensure continued support and security.

4
education/windows/change-home-to-edu.md
View File

@ -6,7 +6,7 @@ ms.topic: how-to
author: scottbreenmsft
ms.author: scbree
ms.reviewer: paoloma
manager: aaroncz
manager: bpardi
ms.collection:
- tier3
- education
@ -14,6 +14,8 @@ ms.collection:
# Upgrade Windows Home to Windows Education on student-owned devices
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
## Overview
Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning.

2
education/windows/edu-stickers.md
View File

@ -9,6 +9,8 @@ appliesto:
# Configure Stickers for Windows 11 SE
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.

2
education/windows/edu-themes.md
View File

@ -10,6 +10,8 @@ appliesto:
# Configure education themes for Windows 11
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Screenshot of Windows 11 desktop with 3 stickers" border="true":::

2
education/windows/federated-sign-in.md
View File

@ -13,6 +13,8 @@ ms.collection:
# Configure federated sign-in for Windows devices
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience.
Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.

2
education/windows/index.yml
View File

@ -11,7 +11,7 @@ metadata:
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
manager: bpardi
ms.date: 10/10/2024
highlightedContent:

2
education/windows/take-a-test-app-technical.md
View File

@ -7,6 +7,8 @@ ms.topic: reference
# Take a Test app technical reference
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Take a Test is an application that locks down a device and displays an online assessment web page.
Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments.

2
education/windows/take-tests-in-windows.md
View File

@ -7,6 +7,8 @@ ms.topic: how-to
# Take tests and assessments in Windows
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)

2
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -9,6 +9,8 @@ appliesto:
# Important considerations before deploying apps with Managed Installer
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
This article describes important aspects to consider before deploying apps with managed installer.
## Existing apps deployed in Intune

2
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -9,6 +9,8 @@ appliesto:
# Create policies to enable applications
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>

2
education/windows/tutorial-deploy-apps-winse/deploy-apps.md
View File

@ -9,6 +9,8 @@ appliesto:
# Applications deployment considerations
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-on.svg" alt="Icon representing the first phase."/></a><br>

2
education/windows/tutorial-deploy-apps-winse/deploy-policies.md
View File

@ -11,6 +11,8 @@ appliesto:
# Deploy policies to enable applications
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
Once the policies are created, you must deploy them to the Windows SE devices.\
AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.

2
education/windows/tutorial-deploy-apps-winse/index.md
View File

@ -9,6 +9,8 @@ appliesto:
# Tutorial: deploy applications to Windows 11 SE with Intune
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended.
## Windows 11 SE and application deployment

2
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -9,6 +9,8 @@ appliesto:
# Troubleshoot app deployment issues in Windows SE
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |

2
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -9,6 +9,8 @@ appliesto:
# Validate the applications deployed to Windows SE devices
[!INCLUDE [winse-eos](../../includes/winse-eos.md)]
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>

2
education/windows/windows-11-se-overview.md
View File

@ -12,6 +12,8 @@ ms.collection:
# Windows 11 SE Overview
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Windows 11 SE is an edition of Windows designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:

2
education/windows/windows-11-se-settings-list.md
View File

@ -12,6 +12,8 @@ ms.collection:
# Windows 11 SE for Education settings list
[!INCLUDE [winse-eos](../includes/winse-eos.md)]
Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings.
This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).

8
windows/application-management/enterprise-background-activity-controls.md
View File

@ -1,16 +1,16 @@
---
title: Remove background task resource restrictions
description: Allow enterprise background tasks unrestricted access to computer resources.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 10/03/2017
ms.topic: article
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriority: medium
ms.collection: tier2
ms.reviewer:
ms.reviewer:
---
# Remove background task resource restrictions

6
windows/application-management/includes/app-v-end-life-statement.md
View File

@ -1,7 +1,7 @@
---
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/20/2021
ms.topic: include
ms.service: windows-client

10
windows/application-management/includes/applies-to-windows-client-versions.md
View File

@ -1,15 +1,11 @@
---
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/28/2021
manager: aaroncz
ms.topic: include
ms.service: windows-client
ms.subservice: itpro-apps
ms.localizationpriortiy: medium
ms.collection: tier1
ms.reviewer:
---
**Applies to**:

6
windows/application-management/index.yml
View File

@ -6,9 +6,9 @@ summary: Learn about managing applications in Windows client, including common a
metadata:
title: Windows application management
description: Learn about managing applications in Windows client.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/27/2024
ms.topic: landing-page
ms.service: windows-client

6
windows/application-management/overview-windows-apps.md
View File

@ -1,9 +1,9 @@
---
title: Overview of apps on Windows client devices
description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/03/2024
ms.topic: overview
ms.service: windows-client

6
windows/application-management/per-user-services-in-windows.md
View File

@ -1,9 +1,9 @@
---
title: Per-user services
description: Learn about per-user services, how to change the template service startup type, and manage per-user services through group policy and security templates.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 10/01/2024
ms.topic: how-to
ms.service: windows-client

10
windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
View File

@ -1,9 +1,9 @@
---
title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs
description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/03/2023
ms.topic: article
ms.service: windows-client
@ -57,7 +57,7 @@ To install the Company Portal app, you have some options:
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
For more information, see:
- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft)
- [What is co-management?](/mem/configmgr/comanage/overview)
@ -70,7 +70,7 @@ To install the Company Portal app, you have some options:
- When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates.
For more information, see:
- [What is Windows Autopilot](/mem/autopilot/windows-autopilot)
- [Add and assign the Company Portal app for Autopilot provisioned devices](/mem/intune/apps/store-apps-company-portal-autopilot)

8
windows/application-management/remove-provisioned-apps-during-update.md
View File

@ -1,9 +1,9 @@
---
title: Keep removed apps from returning during an update
description: When you remove provisioned apps from devices, this article explains how to keep those apps from returning during an update.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 05/25/2018
ms.topic: how-to
ms.service: windows-client
@ -171,7 +171,7 @@ Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe]
```
```
[Get-AppxPackage](/powershell/module/appx/get-appxpackage)
[Get-AppxPackage -allusers](/powershell/module/appx/get-appxpackage)

6
windows/application-management/sideload-apps-in-windows.md
View File

@ -1,9 +1,9 @@
---
title: Sideload line of business apps
description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems. When you sideload an app, you deploy a signed app package to a device.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 09/27/2024
ms.topic: how-to
ms.service: windows-client

30
windows/application-management/svchost-service-refactoring.md
View File

@ -1,9 +1,9 @@
---
title: Service host grouping in Windows 10
description: Learn about the Service Host (SvcHost) service refactoring introduced in Windows 10 version 1703.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
manager: bpardi
ms.date: 07/20/2017
ms.topic: concept-article
ms.service: windows-client
@ -22,19 +22,19 @@ The **Service Host (svchost.exe)** is a shared-service process that serves as a
* Local Service No Network
* Local Service Network Restricted
* Local System
* Local System Network Restricted
* Local System Network Restricted
* Network Service
## Separating SvcHost services
Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process.
Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process.
Benefits of this design change include:
* Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
* Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
* Increased security by providing more inter-service isolation
* Increased scalability by allowing per-service settings and privileges
* Increased security by providing more inter-service isolation
* Increased scalability by allowing per-service settings and privileges
* Improved resource management through per-service CPU, I/O and memory management and increase clear diagnostic data (report CPU, I/O and network usage per service).
>**Try This**
@ -48,19 +48,19 @@ Refactoring also makes it easier to view running processes in Task Manager. You
For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png)
![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png)
Compare that to the same view of running processes in Windows 10 version 1703:
![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png)
## Exceptions
Some services will continue to be grouped on PCs running with 3.5 GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under
If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
The default value of **1** prevents the service from being split.
@ -70,19 +70,19 @@ For example, the registry key configuration for BFE is:
## Memory footprint
Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.)
Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.)
Consider the following example:
|Grouped Services (< 3.5 GB) | Split Services (3.5 GB+)
|--------------------------------------- | ------------------------------------------ |
|--------------------------------------- | ------------------------------------------ |
|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) |
> [!NOTE]
> The above represents the peak observed values.
The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services.
The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services.
> **Try This**
>

2
windows/client-management/docfx.json
View File

@ -47,7 +47,7 @@
"ms.topic": "conceptual",
"ms.author": "vinpa",
"author": "vinaypamnani-msft",
"manager": "aaroncz",
"manager": "bpardi",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {

2
windows/client-management/index.yml
View File

@ -13,7 +13,7 @@ metadata:
- essentials-manage
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
manager: bpardi
ms.date: 07/08/2024
ms.localizationpriority: medium

4
windows/client-management/mdm/includes/wip-deprecation.md
View File

@ -1,6 +1,6 @@
---
author: aczechowski
ms.author: aaroncz
author: vinaypamnani-msft
ms.author: vinpa
ms.service: windows-client
ms.topic: include
ms.date: 07/20/2022

2
windows/configuration/docfx.json
View File

@ -43,7 +43,7 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.subservice": "itpro-configure",
"ms.service": "windows-client",
"manager": "aaroncz",
"manager": "bpardi",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {

2
windows/configuration/index.yml
View File

@ -10,7 +10,7 @@ metadata:
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
manager: bpardi
ms.date: 12/05/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new

12
windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -4,7 +4,7 @@ description: This article describes how to configure a PXE server to load Window
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
manager: bpardi
ms.author: frankroj
ms.topic: how-to
ms.date: 11/23/2022
@ -118,7 +118,7 @@ All four of the roles specified above can be hosted on the same computer or each
The last command will return a GUID, for example:
```console
The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created.
The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created.
```
Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
@ -126,9 +126,9 @@ All four of the roles specified above can be hosted on the same computer or each
3. Create a new boot application entry for the Windows PE image:
```cmd
bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows
bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes
bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes
@ -138,7 +138,7 @@ All four of the roles specified above can be hosted on the same computer or each
```cmd
bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30
bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30
bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast
```

2
windows/deployment/customize-boot-image.md
View File

@ -4,7 +4,7 @@ description: This article describes how to customize a Windows PE (WinPE) boot i
ms.service: windows-client
ms.localizationpriority: medium
author: frankroj
manager: aaroncz
manager: bpardi
ms.author: frankroj
ms.topic: how-to
ms.date: 08/16/2024

2
windows/deployment/deploy-m365.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows with Microsoft 365
manager: aaroncz
manager: bpardi
ms.author: frankroj
description: Learn about deploying Windows with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
ms.service: windows-client

16
windows/deployment/do/delivery-optimization-configure.md
View File

@ -7,7 +7,7 @@ ms.topic: how-to
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- tier3
- essentials-get-started
@ -34,7 +34,7 @@ Use this checklist to guide you through different aspects when modifying Deliver
* Organization size
* System resources
* Improve P2P efficiencies
1. Using Microsoft Connected Cache
1. Choose where to set Delivery Optimization policies
@ -166,8 +166,8 @@ Looking to improve P2P efficiency? Some of the most powerful settings you can ch
- Help optimize peer connection over HTTP connections using the [DOMinBackgroundQoS](waas-delivery-optimization-reference.md#minimum-background-qos) policy. A good value for the [DOMinBackgroundQoS](waas-delivery-optimization-reference.md#minimum-background-qos) policy is something lower than the average download speed seen in your network. For example, if your average speed is 1000 KB/s, set this policy to 500 KB/s.
- Improve chances of downloading from peers and/or cache server by delaying the time DO attempts to make connections before falling back to the HTTP source. The set of delay-related policies include:
- [DODelayBackgroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-background-download-from-http-in-secs)
- [DODelayForegroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-foreground-download-from-http-in-secs)
- [DODelayForegroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-foreground-download-from-http-in-secs)
To improve efficiencies from peers or a dedicated cache server, a good starting point is 60 seconds for background settings and 30 seconds for foreground settings.
> [!NOTE]
@ -177,12 +177,12 @@ Looking to improve P2P efficiency? Some of the most powerful settings you can ch
Regardless of P2P, consider setting the following policies to avoid network disruption.
- Manage network usage as a percentage or absolute value. These policies include:
- Manage network usage as a percentage or absolute value. These policies include:
- [DOPercentageMaxBackgroundBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth)
- [DOPercentageMaxForegroundBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth)
- [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs)
- [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs)
- Reduce disruptions by throttling differently at different times of day, using the following business hours policies:
- Reduce disruptions by throttling differently at different times of day, using the following business hours policies:
- [DOSetHoursToLimitBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth)
- [DOSetHoursToLimitForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth).
@ -232,12 +232,12 @@ Delivery Optimization is integrated with both Microsoft Endpoint Manager and Con
## Monitor Delivery Optimization
Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. The following options are available to monitor Delivery Optimization:
Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. The following options are available to monitor Delivery Optimization:
- On clients, review the activity monitor, which displays a breakdown of downloads by source, average speed, and upload stats for the current month
- **Windows 11**: Settings > Windows Update > Advanced Options > Delivery Optimization > Activity Monitor
- **Windows 10**: Settings > Update & Security > Delivery Optimization > Activity Monitor
- Windows Update for Business reports offers a Delivery Optimization report. For more information, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).
- Windows Update for Business reports offers a Delivery Optimization report. For more information, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).
## Troubleshoot Delivery Optimization

6
windows/deployment/do/delivery-optimization-endpoints.md
View File

@ -7,13 +7,13 @@ ms.topic: reference
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache target=_blank>Connected Cache on a Configuration Manager distribution point</a>
ms.date: 04/15/2025
---

2
windows/deployment/do/delivery-optimization-proxy.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: article
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium

2
windows/deployment/do/delivery-optimization-test.md
View File

@ -7,7 +7,7 @@ ms.topic: reference
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection: tier3
ms.localizationpriority: medium
appliesto:

2
windows/deployment/do/delivery-optimization-troubleshoot.md
View File

@ -7,7 +7,7 @@ ms.topic: how-to
author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- tier3
- essentials-get-started

2
windows/deployment/do/delivery-optimization-workflow.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: article
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection:
- tier3

4
windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
View File

@ -1,6 +1,6 @@
---
title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI
manager: aaroncz
manager: bpardi
description: Elixir images read me file
ms.service: windows-client
author: nidos
@ -13,7 +13,7 @@ robots: noindex
# Read Me
This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository:
This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository:
:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors.":::

10
windows/deployment/do/includes/get-azure-subscription.md
View File

@ -2,7 +2,7 @@
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.date: 10/18/2022
ms.service: windows-client
ms.subservice: itpro-deploy
@ -13,7 +13,7 @@ ms.localizationpriority: medium
1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input.
1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left.
1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service.
1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name.
1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value.
1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left.
1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service.
1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name.
1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value.

2
windows/deployment/do/includes/mcc-prerequisites.md
View File

@ -2,7 +2,7 @@
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.service: windows-client
ms.subservice: itpro-deploy
ms.topic: include

6
windows/deployment/do/index.yml
View File

@ -12,9 +12,9 @@ metadata:
ms.collection:
- highpri
- tier3
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: mestew
ms.author: mstewart
manager: bpardi
ms.date: 10/30/2024 #Required; mm/dd/yyyy format.
ms.localizationpriority: medium

18
windows/deployment/do/mcc-ent-faq.yml
View File

@ -8,18 +8,18 @@ metadata:
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- highpri
- tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/30/2024
title: Microsoft Connected Cache for Enterprise Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache for Enterprise
sections:
- name: Ignored
questions:
@ -29,27 +29,27 @@ sections:
answer: No. You won't be charged to create Connected Cache resource and cache nodes on Azure. However, you need an Azure pay-as-you-go subscription to create the resources but there is no charge for the resource itself.
- question: Is there a nondisclosure agreement to sign?
answer: No, a nondisclosure agreement isn't required.
- question: What will Microsoft Connected Cache for Enterprise and Education do for me?
- question: What will Microsoft Connected Cache for Enterprise and Education do for me?
answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsofts comprehensive solutions for minimizing enterprises internet bandwidth consumption, with Delivery Optimization acting as the distributed content source and Connected Cache as a dedicated content source. Microsoft customers have benefited from these solutions, seeing savings of more than 90% of bandwidth when managing Windows 11 upgrades, Autopilot device provisioning, Intune application installations, and monthly update deployments."
- question: Can I deploy Connected Cache to a production environment?
answer: The core caching engine of Microsoft Connected Cache is deployed to hundreds of ISPs globally and has been reliably delivering Microsoft content to customers. Connected Cache relies on production Azure services for the deployment and management of Connected Cache nodes and for Windows installations Windows Subsystem for Linux. Microsoft support is fully onboarded to support your organization whether you deploy Connected Cache in a lab for testing or in production.
- question: When will Microsoft Connected Cache for Enterprise and Education be made generally available (GA)?
answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsofts comprehensive solutions for minimizing enterprises internet bandwidth consumption. Microsoft is committed to making Connected Cache generally available soon. Additionally, Microsoft support is fully onboarded to support your organization in whatever capacity you deploy Connected Cache."
- question: What are the prerequisites and hardware requirements?
answer: |
answer: |
- [Azure pay-as-you-go subscription](https://azure.microsoft.com/offers/ms-azr-0003p/).
- [Hardware to host Microsoft Connected Cache](mcc-ent-edu-overview.md)
- [Host machine requirements](mcc-ent-prerequisites.md)
- question: What host OS do I need to deploy Connected Cache?
answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different.
answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different.
- question: What content is cached by Microsoft Connected Cache?
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints](delivery-optimization-endpoints.md).
- question: Do I need to provide hardware BareMetal server or a virtual machine (VM)?
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
- question: Can we use hard drives instead of SSDs?
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
- question: Where should we install Microsoft Connected Cache?
answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
- question: How can I set up a gMSA account?
answer: For more information about gMSA accounts, see [Learn how to provision a Group Managed Service Account on a Domain Controller](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#create-group-managed-service-accounts). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings).
- question: How can I set up a local account?
@ -61,7 +61,7 @@ sections:
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content is in the hot cache path (open handles and such) for 24 hrs, but resides on disk for 30 days. The drive fills up and nginx starts to delete content based on its own algorithm, probably some combination of least recently used.
- question: Is it possible to not update the Microsoft Connected Cache software or delay update longer than the timeline provided in the updates configuration?
answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and only releases updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers.
answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and only releases updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers.
- question: How do I set up CLI?
answer: For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
- question: How do I install the Microsoft Connected Cache Azure CLI extension?

18
windows/deployment/do/mcc-ent-manage-using-cli.md
View File

@ -4,15 +4,15 @@ description: Details on how to manage Microsoft Connected Cache for Enterprise c
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
manager: bpardi
ms.author: nidos
author: doshnid
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise</a>
ms.date: 10/30/2024
---
@ -22,7 +22,7 @@ ms.date: 10/30/2024
This article outlines how to create, configure, and deploy Microsoft Connected Cache for Enterprise cache nodes using Azure CLI.
## Prerequisites:
1. **Install Azure CLI**: [How to install the Azure CLI](/cli/azure/install-azure-cli)
1. **Install Connected Cache extension**: Install Connected Cache extension via the command below
@ -94,7 +94,7 @@ To confirm cache node creation, use `az mcc ent node show`
<br>
```azurecli-interactive
az mcc ent node show --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
az mcc ent node show --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg
```
>[!IMPORTANT]
@ -144,11 +144,11 @@ az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-res
## Next step
To deploy the cache node to a **Windows** host machine, see
To deploy the cache node to a **Windows** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Windows](mcc-ent-deploy-to-windows.md)
To deploy the cache node to a **Linux** host machine, see
To deploy the cache node to a **Linux** host machine, see
>[!div class="nextstepaction"]
>[Deploy cache node to Linux](mcc-ent-deploy-to-linux.md)
@ -190,7 +190,7 @@ az mcc ent resource create --mcc-resource-name $mccResourceName --location $reso
#Loop through $cacheNodesToCreate iterations
for ($cacheNodeNumber = 1; $cacheNodeNumber -le $cacheNodesToCreate; $cacheNodeNumber++) {
$iteratedCacheNodeName = $cacheNodeName + "-" + $cacheNodeNumber
#Create cache node
az mcc ent node create --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --host-os $cacheNodeOperatingSystem --resource-group $resourceGroup
@ -203,7 +203,7 @@ for ($cacheNodeNumber = 1; $cacheNodeNumber -le $cacheNodesToCreate; $cacheNodeN
Write-Output "Waiting for cache node creation to complete...$howLong seconds"
Start-Sleep -Seconds $waitTime
$howLong += $waitTime
$cacheNodeState = $(az mcc ent node show --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --resource-group $resourceGroup --query "cacheNodeState") | ConvertFrom-Json
}

4
windows/deployment/do/mcc-isp-cache-node-configuration.md
View File

@ -1,6 +1,6 @@
---
title: Cache node configuration settings
manager: aaroncz
manager: bpardi
description: List of options that are available while configuring a cache node for your environment from the Azure portal.
ms.service: windows-client
ms.subservice: itpro-updates
@ -11,7 +11,7 @@ ms.reviewer: mstewart
ms.collection:
- tier3
- must-keep
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>

24
windows/deployment/do/mcc-isp-create-provision-deploy.md
View File

@ -3,16 +3,16 @@ title: Create, provision, and deploy the cache node
description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
ms.service: windows-client
ms.subservice: itpro-updates
manager: aaroncz
manager: bpardi
author: nidos
ms.author: nidos
ms.reviewer: mstewart
ms.topic: install-set-up-deploy
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 05/23/2024
---
@ -66,29 +66,29 @@ In the example configuration below:
- The ASN of the Microsoft Connected Cache cache node is 65100 and the IP address is 192.168.8.99
- iBGP peering sessions are established from the portal for ASNs 65100, 65200, and 65300.
:::image type="content" source="images/mcc-isp-bgp-route.png" alt-text="Screenshot of a table entitled BGP route information showing how each ASN corresponds to a specific IP address." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
:::image type="content" source="images/mcc-isp-bgp-route.png" alt-text="Screenshot of a table entitled BGP route information showing how each ASN corresponds to a specific IP address." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
:::image type="content" source="images/mcc-isp-bgp-diagram.png" alt-text="A diagram that shows the relationship between the cache node and other ASNs/routers when using BGP. BGP routing allows the cache node to route to other network providers with different ASNs." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
:::image type="content" source="images/mcc-isp-bgp-diagram.png" alt-text="A diagram that shows the relationship between the cache node and other ASNs/routers when using BGP. BGP routing allows the cache node to route to other network providers with different ASNs." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
To set up and enable BGP routing for your cache node, follow the steps below:
1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision.
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
:::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::
1. Enter the max allowable egress that your hardware can support.
1. Enter the max allowable egress that your hardware can support.
1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes.
**Note:** This is a **required** field. Up to nine cache drive folders are supported.
1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes.
**Note:** This is a **required** field. Up to nine cache drive folders are supported.
1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
- If you choose **Manual routing**, enter your address range/CIDR blocks.
- If you choose **Manual routing**, enter your address range/CIDR blocks.
- If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for Microsoft Connected Cache. Connected Cache will be automatically assigned as the same ASN as the neighbor.
> [!NOTE]
> **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established.
## Deploy cache node software to server
## Deploy cache node software to server
Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes.
@ -125,7 +125,7 @@ There are five IDs that the device provisioning script takes as input in order t
:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server.
1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server.
1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script:

64
windows/deployment/do/mcc-isp-faq.yml
View File

@ -8,90 +8,90 @@ metadata:
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- highpri
- tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 01/14/2025
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
Frequently asked questions about Microsoft Connected Cache
sections:
- name: Ignored
questions:
- question: Is this product a free service?
answer: Yes. Microsoft Connected Cache is a free service.
answer: Yes. Microsoft Connected Cache is a free service.
- question: What will Microsoft Connected Cache do for me? How will it impact our customers?
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
- question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network?
answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache.
- question: Is there a non-disclosure agreement to sign?
answer: No, a non-disclosure agreement isn't required.
- question: What are the prerequisites and hardware requirements?
answer: |
- Azure subscription
answer: |
- Azure subscription
- Hardware to host Microsoft Connected Cache
- Ubuntu 22.04 LTS on a physical server or VM of your choice.
- Ubuntu 22.04 LTS on a physical server or VM of your choice.
> [!NOTE]
> The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS.
The following are recommended hardware configurations:
> The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS.
The following are recommended hardware configurations:
| Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation|
| -------- | -------- | -------- | -------- |
| Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| VM </br> Up to 8 cores</br></br>Up to 16-GB memory</br></br>1 500 GB SSD|
| Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| VM or hardware</br></br>16 cores*</br></br>32-GB memory</br></br>2 - 3 500-GB SSDs each|
|Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| Hardware, see sample spec below:</br></br>32 or more cores*</br></br>64 or more GB memory</br></br>4 - 6 500 - 1-TB SSDs** each |
*Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher.
**Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher).
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
- Dell PowerEdge R330
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
- Dell PowerEdge R330
- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
- 4 - Transcend SSD230s 1 TB SATA Drives
Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
- question: Do I need to provide hardware BareMetal server or VM?
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
- question: Can we use hard drives instead of SSDs?
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
- question: Do I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
- question: Should I add any load balancing mechanism?
answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
- question: How many Microsoft Connected Cache instances do I need? How do we set up if we support multiple countries or regions?
answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
- question: Where should we install Microsoft Connected Cache?
answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
- question: What content is cached by Microsoft Connected Cache?
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md).
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md).
- question: Does Microsoft Connected Cache support Xbox or Teams content?
answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available!
answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available!
- question: Is IPv6 supported?
answer: No, we don't currently support IPV6. We plan to support it in the future.
answer: No, we don't currently support IPV6. We plan to support it in the future.
- question: Is Microsoft Connected Cache stable and reliable?
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of Connected Cache before expanding to more customers.
- question: How does Microsoft Connected Cache populate its content?
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
- question: What CDNs does Microsoft Connected Cache pull content from?
answer: |
answer: |
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
$ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA"
c-0001.c-msedge.net. 20 IN A 13.107.4.50
$ whois 13.107.4.50|grep "Organization:"
Organization: Microsoft Corporation (MSFT)
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how does it affect my traffic?
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.

6
windows/deployment/do/mcc-isp-overview.md
View File

@ -4,15 +4,15 @@ description: Overview of Microsoft Connected Cache for ISPs. Learn about how Con
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview
manager: aaroncz
manager: bpardi
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 05/23/2024
---

8
windows/deployment/do/mcc-isp-signup.md
View File

@ -4,15 +4,15 @@ description: Instructions on how to go through the service onboarding process fo
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
manager: aaroncz
manager: bpardi
author: nidos
ms.author: nidos
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 01/14/2024
---
@ -39,7 +39,7 @@ Before you begin sign up, ensure you have the following components:
1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 22.04 LTS.
1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk).
## Resource creation and sign up process
## Resource creation and sign up process
1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.

10
windows/deployment/do/mcc-isp-support.md
View File

@ -6,13 +6,13 @@ ms.subservice: itpro-updates
ms.topic: reference
author: nidos
ms.author: nidos
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 01/14/2025
---
@ -32,13 +32,13 @@ During sign-up, we verify the information you provide against what is present in
#### Invalid verification code
During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up.
During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up.
#### Unable to re-sign up
Delete any Microsoft Connected Cache resource that you're using before you resign up for the service. Deleting any existing Connected Cache resource unlocks your ASN, which allows you to successfully sign up.
### Cache Node Errors
### Cache Node Errors
#### Network connectivity issues

6
windows/deployment/do/mcc-isp-update.md
View File

@ -6,15 +6,15 @@ ms.subservice: itpro-updates
ms.topic: how-to
ms.author: carmenf
author: cmknox
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection:
- tier3
- must-keep
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 05/23/2024
---

6
windows/deployment/do/mcc-isp-verify-cache-node.md
View File

@ -7,10 +7,10 @@ ms.subservice: itpro-updates
ms.topic: how-to
ms.author: carmenf
author: cmknox
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 05/23/2024
---
@ -90,7 +90,7 @@ Within Azure portal, there are many charts and graphs that are available to moni
Within Azure portal, you're able to build your custom charts and graphs using the following available metrics:
| Metric name | Description |
|---|---|
|---|---|
| **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. |
| **Healthy nodes** | The number of cache nodes that are reporting as healthy|
| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy|

4
windows/deployment/do/mcc-isp-vm-performance.md
View File

@ -7,10 +7,10 @@ ms.subservice: itpro-updates
ms.topic: reference
ms.author: carmenf
author: cmknox
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/mcc-isp target=_blank>Microsoft Connected Cache for ISPs</a>
ms.date: 01/14/2025
---

6
windows/deployment/do/mcc-isp.md
View File

@ -7,11 +7,11 @@ ms.topic: how-to
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
ms.collection: tier3
ms.date: 10/30/2024
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ Microsoft Connected Cache for ISPs (early preview)
@ -33,7 +33,7 @@ Microsoft Connected Cache for Internet Service Providers is now in Public Previe
<!--
<!--
### Setting up a VM on Windows Server

58
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -7,16 +7,16 @@ metadata:
ms.topic: faq
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection:
- highpri
- tier3
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 04/14/2025
title: Frequently Asked Questions about Delivery Optimization
summary: |
@ -24,7 +24,7 @@ summary: |
**General questions**:
- [What Delivery Optimization settings are available?](#what-delivery-optimization-settings-are-available)
- [What Delivery Optimization settings are available?](#what-delivery-optimization-settings-are-available)
- [Does Delivery Optimization work with WSUS?](#does-delivery-optimization-work-with-wsus)
- [How are downloads initiated by Delivery Optimization?](#how-are-downloads-initiated-by-delivery-optimization)
- [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
@ -34,14 +34,14 @@ summary: |
- [How does Delivery Optimization measure and throttle download bandwidth?](#how-does-delivery-optimization-measure-and-throttle-download-bandwidth)
**Network related configuration questions**:
- [Which ports does Delivery Optimization use?](#which-ports-does-delivery-optimization-use)
- [What are the requirements if I use a proxy?](#what-are-the-requirements-if-i-use-a-proxy)
- [What hostnames should I allow through my firewall to support Delivery Optimization?](#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)
- [My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?How do I configure it to download content with Delivery Optimization?](#my-firewall-requires-ip-addresses-and-can-t-process-fqdns--how-do-i-configure-it-to-download-content-with-delivery-optimization)
- [What is the recommended configuration for Delivery Optimization used with cloud proxies?](#what-is-the-recommended-configuration-for-delivery-optimization-used-with-cloud-proxies)
**Peer-to-peer related questions**:
**Peer-to-peer related questions**:
- [How does Delivery Optimization determine which content is available for peering?](#how-does-delivery-optimization-determine-which-content-is-available-for-peering)
- [Where does Delivery Optimization get content from first?](#where-does-delivery-optimization-get-content-from-first)
@ -50,27 +50,27 @@ summary: |
- [How does Delivery Optimization handle VPNs?](#how-does-delivery-optimization-handle-vpns)
- [How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?](#how-does-delivery-optimization-handle-networks-where-a-public-ip-address-is-used-in-place-of-a-private-ip-address)
**Device resources questions**:
**Device resources questions**:
- [Delivery Optimization is using device resources and I can't tell why?](#delivery-optimization-is-using-device-resources-and-i-can-t-tell-why)
- [How do I clear the Delivery Optimization cache?](#how-do-i-clear-the-delivery-optimization-cache)
sections:
sections:
- name: General questions
questions:
- question: What Delivery Optimization settings are available?
answer: |
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with controls on bandwidth, time of day, etc.
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with controls on bandwidth, time of day, etc.
- question: Does Delivery Optimization work with WSUS?
answer: |
Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
- question: How are downloads initiated by Delivery Optimization?
answer: |
Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
- question: Delivery Optimization is downloading Windows content on my devices directly from an IP address, is it expected?
answer: |
When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your internet service provider, the download will be pulled directly from the IP address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available.
- question: Delivery Optimization is downloading Windows content on my devices directly from an IP address, is it expected?
answer: |
When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your internet service provider, the download will be pulled directly from the IP address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available.
- question: How do I turn off Delivery Optimization?
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download with error code 0x80d03002. Starting in Windows 11, Download mode '100' is deprecated.
@ -86,10 +86,10 @@ sections:
For a list of common Delivery Optimization error codes, visit the [Delivery Optimization Troubleshooter](http://aka.ms/do-fix). This resource provides descriptions of various error codes. Using the Delivery Optimization Troubleshooter can help you identify and resolve issues with Delivery Optimization, providing configuration values and other useful information to help address problems effectively.
- question: How does Delivery Optimization measure and throttle download bandwidth?
answer: |
By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network.
By default, Delivery Optimization measures and targets to use no more than 45% of the available bandwidth during a background download or 90% for an interactive, foreground download (user initiated). The target download speed is measured for the HTTP source and Group/Internet peers. The target download speed measures the download throughput available to the source, not only the local network card. A speed test is performed dynamically every few minutes during a download, so it can adjust to congestion on the network.
Throttling will apply only to downloads from the internet which include the HTTP source and Group peers. To make changes to the default behavior, use the settings from the Delivery Optimization section in Windows Settings (Delivery Optimization -> Advanced Options) to change these values. In addition, there are policies available to manage bandwidth usage for Delivery Optimization. To ensure smooth deployments, we recommend familiarizing yourself with the bandwidth defaults and policies available to better configure them for your environment. Note that Delivery Optimization does not manage deployment strategies.
For more information, see [Bandwidth throttle options](delivery-optimization-configure.md#bandwidth-throttling-options).
> [!NOTE]
@ -98,20 +98,20 @@ sections:
- name: Network related configuration questions
questions:
- question: Which ports does Delivery Optimization use?
answer: |
answer: |
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound and outbound TCP traffic through your firewall. If you don't allow traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download updates by using HTTP over port 80 (or HTTPS over port 443 where applicable).
If you set the "Download Mode" policy to "Group (2)" or "Internet (3)", Teredo will be used by Delivery Optimization to connect to peer devices across NATs. You must allow inbound and outbound UDP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTPS over port 443.
- question: What are the requirements if I use a proxy?
answer: |
For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
- question: What hostnames should I allow through my firewall to support Delivery Optimization?
answer: |
answer: |
**For communication between clients and the Delivery Optimization cloud service**:
- `*.prod.do.dsp.mp.microsoft.com`
**For Delivery Optimization metadata**:
@ -126,18 +126,18 @@ sections:
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and Microsoft Connected Caches allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and Microsoft Connected Caches allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies?
answer: |
The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct internet access and bypass the cloud proxy service:
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct internet access and bypass the cloud proxy service:
- `*.prod.do.dsp.mp.microsoft.com`
If allowing direct internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
- name: Peer-to-Peer related questions
questions:
- question: How does Delivery Optimization determine which content is available for peering?
@ -145,12 +145,12 @@ sections:
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: Where does Delivery Optimization get content from first?
answer: |
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, the client connects to both Connected Cache and peers in parallel. There is no prioritization between the two. Once downloading starts in parallel, Delivery Optimization
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache, the client connects to both Connected Cache and peers in parallel. There is no prioritization between the two. Once downloading starts in parallel, Delivery Optimization
will taper off requests to the HTTP source (CDN or Connected Cache) when the peer connections are able to reach the target download speed. For background downloads, Delivery Optimization will drop HTTP connections if peers are meeting the minimum QoS speed. To manage delaying the default behavior
there are a collection of policies that can be used. For more information, see [Delivery Optimization delay policies](waas-delivery-optimization-reference.md#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources).
- question: Does Delivery Optimization use multicast?
answer: |
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
- question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
answer: |
Starting in Windows 11, version 22H2, Delivery Optimization uses LEDBAT (server-side LEDBAT) and rLEDBAT (receiver-side LEDBAT) to relieve such congestion. In Delivery Optimization, LEDBAT is specifically used for P2P connections, while rLEDBAT is utilized for HTTP and Connected Cache connections, particularly for background downloads. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
@ -169,7 +169,7 @@ sections:
- `https://*.prod.do.dsp.mp.microsoft.com`
Delivery Optimization metadata:
- `http://download.windowsupdate.com`
- `http://*.dl.delivery.mp.microsoft.com`

2
windows/deployment/do/waas-delivery-optimization-monitor.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: reference
ms.author: carmenf
author: cmknox
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection:
- tier3

4
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: reference
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium
@ -335,7 +335,7 @@ Configure this policy to designate Delivery Optimization in Network Cache server
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been configured.
>
>
> If the [LocalPolicyMerge](/windows/security/operating-system-security/network-security/windows-firewall/rules#local-policy-merge-and-application-rules) setting is configured, such as part of security baselines, it can impact DHCP client and prevent it from retrieving this DHCP option, especially in Autopilot scenarios.
### Maximum foreground download bandwidth (in KB/s)

2
windows/deployment/do/waas-delivery-optimization.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: overview
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection:
- tier3

4
windows/deployment/do/waas-microsoft-connected-cache.md
View File

@ -6,11 +6,11 @@ ms.subservice: itpro-updates
ms.topic: overview
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/30/2024

4
windows/deployment/do/waas-optimize-windows-10-updates.md
View File

@ -7,10 +7,10 @@ ms.subservice: itpro-updates
ms.author: carmenf
author: cmknox
ms.reviewer: mstewart
manager: aaroncz
manager: bpardi
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/23/2024

4
windows/deployment/do/whats-new-do.md
View File

@ -6,11 +6,11 @@ ms.subservice: itpro-updates
ms.topic: whats-new
author: cmknox
ms.author: carmenf
manager: aaroncz
manager: bpardi
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 05/23/2024

6
windows/deployment/index.yml
View File

@ -12,9 +12,9 @@ metadata:
ms.collection:
- highpri
- tier1
author: aczechowski
ms.author: aaroncz
manager: aaroncz
author: frankroj
ms.author: frankroj
manager: bpardi
ms.date: 11/05/2024
ms.localizationpriority: medium

2
windows/deployment/mbr-to-gpt.md
View File

@ -5,7 +5,7 @@ ms.service: windows-client
author: frankroj
ms.author: frankroj
ms.date: 05/07/2025
manager: aaroncz
manager: bpardi
ms.localizationpriority: high
ms.topic: how-to
ms.collection:

12
windows/deployment/update/catalog-checkpoint-cumulative-updates.md
View File

@ -6,11 +6,11 @@ ms.subservice: itpro-updates
ms.topic: article
ms.author: mstewart
author: mestew
manager: aaroncz
manager: bpardi
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 24H2 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2025 and later</a>
ms.date: 01/31/2025
@ -65,7 +65,7 @@ Devices or images that have the latest checkpoint cumulative update installed an
Examples of eligible devices:
| Device is on | Needs to install|
| Device is on | Needs to install|
|---|---|
|<ul><li>The checkpoint cumulative update, 2024-09 (KB5043080)</li></ul>|<ul><li>A subsequent monthly security update like 2024-11 (KB5046617), or</li> <li>A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
|<ul><li>A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or</li> <li> A subsequent monthly security update like 2024-10 (KB5044284)</li></ul>|<ul><li>A subsequent monthly security update like 2025-01 (KB5050009), or</li> <li> A subsequent optional nonsecurity release like 2024-11 (KB5046740) </li></ul>|
@ -79,15 +79,15 @@ Installing FoDs or language packs requires the full latest cumulative update pay
1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
1. Unmount.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)

48
windows/deployment/update/check-release-health.md
View File

@ -6,11 +6,11 @@ ms.subservice: itpro-updates
ms.topic: how-to
ms.author: mstewart
author: mestew
manager: aaroncz
manager: bpardi
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 06/04/2024
@ -41,7 +41,7 @@ Ensure the following prerequisites are met to display the Windows release health
## How to review Windows release health information
1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an admin account.
1. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
1. On the **Windows release health** page, you have access to known issue information for all supported versions of the Windows operating system.
@ -70,17 +70,17 @@ Ensure the following prerequisites are met to display the Windows release health
![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
## Sign up for email notifications
## Sign up for email notifications
You can sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications:
1. Go to the [Windows release health page](https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth).
1. Select **Preferences**>**Email**, then select **Send me email notifications about Windows release health**.
1. Specify the following information:
1. Specify the following information:
- Email address for the notifications
- Each admin account can specify up to two email addresses under their email preferences
- Windows versions to be notified about
1. Select **Save** when you're finished specifying email addresses and Windows versions. It may take up to 8 hours for these changes to take effect.
1. Select **Save** when you're finished specifying email addresses and Windows versions. It may take up to 8 hours for these changes to take effect.
> [!Note]
> When a single known issue affects multiple versions of Windows, you'll receive only one email notification, even if you've selected notifications for multiple versions. Duplicate emails won't be sent.
@ -114,13 +114,13 @@ In the **Windows release health** experience, every known issue is assigned as s
## Known issue history
The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
![Screenshot of the link to view message history.](images/WRH-view-message-history-padded.png)
A list of all status updates posted in the selected time frame is displayed. You can expand any row to view the specific information provided in that status update.
A list of all status updates posted in the selected time frame is displayed. You can expand any row to view the specific information provided in that status update.
![Screenshot of the message history.](images/WRH-message-history-example-padded.png)
## Frequently asked questions
### Windows release health coverage
@ -128,48 +128,48 @@ A list of all status updates posted in the selected time frame is displayed. You
- **What is Windows release health?**
Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
- **Where do I find Windows release health?**
- **Where do I find Windows release health?**
After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** to display the **Windows release health** menu option.
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?**
- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?**
No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?**
- **How often will content be updated?**
To ensure Windows customers have important information as soon as possible, all major known issues are shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?**
- **Can I share this content publicly or with other Windows customers?**
Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
- **Is the content redundant? How is the content organized in the different tabs?**
- **Is the content redundant? How is the content organized in the different tabs?**
Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved.
- **How do I find information for the versions of Windows I'm managing?**
- **How do I find information for the versions of Windows I'm managing?**
On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
### Microsoft 365 Admin Center functions
- **How do I best search for issues impacting my environment?**
- **How do I best search for issues impacting my environment?**
You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
- **How do I add other Windows admins?**
- **How do I add other Windows admins?**
Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
- **Why can't I click to the KB article from the Known issues or History tabs?**
- **Why can't I click to the KB article from the Known issues or History tabs?**
Within the issue description, you'll find links to the KB articles. In the known issue and history tabs, the entire row is a clickable entry to the issue's Details pane.
- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**
We're working to build the Windows release health experience on mobile devices in a future release.
### Help and support
- **What should I do if I have an issue with Windows that is not reported in Windows release health?**
- **What should I do if I have an issue with Windows that is not reported in Windows release health?**
Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. The ID is the letters `WI` followed by a number, similar to `WI123456`.
- **How can I learn more about expanding my use of Microsoft 365 admin center?**

8
windows/deployment/update/create-deployment-plan.md
View File

@ -6,11 +6,11 @@ ms.subservice: itpro-updates
ms.topic: install-set-up-deploy
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- tier2
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -48,14 +48,14 @@ There are basically two strategies for moving deployments from one ring to the n
- "Red button" (service-based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
- "Green button" (project-based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
## Preview ring
The purpose of the Preview ring is to evaluate the new features of the update. It's *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, generally IT administrators. Ultimately, this phase is the time the design and planning work happens so that when the public update is shipped, you can have greater confidence in the update.
> [!NOTE]
> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases.
> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases.
### Who goes in the Preview ring?

4
windows/deployment/update/eval-infra-tools.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/31/2023

2
windows/deployment/update/feature-update-user-install.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

16
windows/deployment/update/fod-and-lang-packs.md
View File

@ -7,8 +7,8 @@ ms.topic: reference
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
manager: aaroncz
appliesto:
manager: bpardi
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
@ -17,19 +17,19 @@ ms.date: 10/01/2024
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
This reference article describes how to make Features on Demand (FoDs) and language packs available when you're using Windows Server Update Services (WSUS) or Configuration Manager for specific versions of Windows.
## High-level changes affecting Features on Demand and language pack content
The following changes for FoD and language pack content affected how client policy needs to be configured:
- Starting in Windows 10 version 1709, you can't use WSUS to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FoDs) locally.
- Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
Due to these changes, the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](/windows/client-management/mdm/policy-csp-admx-servicing)) policy, located under `Computer Configuration\Administrative Templates\System` was used to specify alternate ways to acquire FoDs and language packs, along with content for corruption repair. This policy allows specifying one alternate location. It's important to note the policy behaves differently across OS versions. For more information, see the [Version specific information for Features on Demand and language packs](#version-specific-information-for-features-on-demand-and-language-packs) section.
Due to these changes, the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](/windows/client-management/mdm/policy-csp-admx-servicing)) policy, located under `Computer Configuration\Administrative Templates\System` was used to specify alternate ways to acquire FoDs and language packs, along with content for corruption repair. This policy allows specifying one alternate location. It's important to note the policy behaves differently across OS versions. For more information, see the [Version specific information for Features on Demand and language packs](#version-specific-information-for-features-on-demand-and-language-packs) section.
The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content.
The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content.
Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content. This policy was modified starting in Windows 11, version 24H2 and the following options were removed:<!--8914508-->
- Never attempt to download payload from Windows Update
@ -37,10 +37,10 @@ Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP)
## Version specific information for Features on Demand and language packs
Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options.<!--8914508-->
Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options.<!--8914508-->
For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either:
- Change the source selection for feature and quality updates to Windows Update
- Change the source selection for feature and quality updates to Windows Update
- Allow all classes of updates to come from WSUS by not configuring any source selections <!--8907933-->
> [!Note]

2
windows/deployment/update/forward-reverse-differentials.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

8
windows/deployment/update/get-started-updates-channels-tools.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -31,7 +31,7 @@ version of the software.
## Types of updates
We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage.
- **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
@ -68,7 +68,7 @@ We recommend that you use the Windows Insider Release Preview channel for valida
The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSC releases service a special LTSC edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition.
The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition.
| Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel |

114
windows/deployment/update/how-windows-update-works.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -16,7 +16,7 @@ ms.date: 12/31/2017
# How Windows Update works
The Windows Update workflow has four core areas of functionality:
The Windows Update workflow has four core areas of functionality:
1. Scan
1. Orchestrator schedules the scan.
@ -35,49 +35,49 @@ The Windows Update workflow has four core areas of functionality:
1. The arbiter finalizes before the restart.
## How updating works
During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage.
## How updating works
During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage.
## Scanning updates
## Scanning updates
![Windows Update scanning step.](images/update-scan-step.png)
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
Make sure you're familiar with the following terminology related to Windows Update scan:
|Term|Definition|
|----|----------|
|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.|
|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.|
|Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. |
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
|Online scan|Scan that uses the network and to check an update server. |
|Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. |
|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.|
|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.|
|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).|
|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.|
|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.|
|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.|
|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).|
|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.|
|ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. |
### How Windows Update scanning works
Windows Update does the following actions when it runs a scan.
### How Windows Update scanning works
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
Windows Update does the following actions when it runs a scan.
- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
![Windows Update scan log 1.](images/update-scan-log-1.png)
#### Proxy Behavior
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)):
- System proxy is attempted (set using the `netsh` command).
@ -92,57 +92,57 @@ For Windows Update URLs that _aren't_ used for update detection, such as for dow
#### Identifies service IDs
- Service IDs indicate which update source is being scanned.
- Service IDs indicate which update source is being scanned.
- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates.
- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates.
![Windows Update scan log 2.](images/update-scan-log-2.png)
- Common service IDs
- Common service IDs
> [!IMPORTANT]
> ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service.
> ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service.
|Service|ServiceId|
|-------|---------|
|-------|---------|
|Unspecified / Default|Windows Update, Microsoft Update, or WSUS <br>00000000-0000-0000-0000-000000000000 |
|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77|
|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77|
|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer <br>3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
|Offline scan service|Via IUpdateServiceManager::AddScanPackageService|
|Offline scan service|Via IUpdateServiceManager::AddScanPackageService|
#### Finds network faults
Common update failure is caused due to network issues. To find the root of the issue:
Common update failure is caused due to network issues. To find the root of the issue:
- Look for "ProtocolTalker" messages to see client-server sync network traffic.
- "SOAP faults" can be either client- or server-side issues; read the message.
- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting.
- Look for "ProtocolTalker" messages to see client-server sync network traffic.
- "SOAP faults" can be either client- or server-side issues; read the message.
- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting.
> [!NOTE]
> If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
> If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured.
![Windows Update scan log 3.](images/update-scan-log-3.png)
## Downloading updates
## Downloading updates
![Windows Update download step.](images/update-download-step.png)
Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.
For more information, see [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md).
To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.
## Installing updates
For more information, see [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md).
## Installing updates
![Windows Update install step.](images/update-install-step.png)
When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".
When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".
The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation.
## Committing Updates
The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation.
## Committing Updates
![Windows Update commit step.](images/update-commit-step.png)
When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.
When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.
For more information, see [Manage device restarts after updates](waas-restart.md).
For more information, see [Manage device restarts after updates](waas-restart.md).

2
windows/deployment/update/includes/checkpoint-cumulative-updates.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include

2
windows/deployment/update/includes/update-history.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include

2
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include

4
windows/deployment/update/includes/wufb-reports-endpoints.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
@ -11,7 +11,7 @@ ms.localizationpriority: medium
<!-- This file is shared by update/wufb-reports-prerequisites.md and update/wufb-reports-configuration-manual.md articles. Headings are driven by article context. -->
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|

6
windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
@ -18,7 +18,7 @@ ms.localizationpriority: medium
- The Azure subscription
- The Log Analytics workspace
1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts.
> [!Note]
> The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.
> The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.

4
windows/deployment/update/includes/wufb-reports-script-error-codes.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
@ -41,7 +41,7 @@ ms.localizationpriority: medium
| 62 | AllowTelemetry registry key isn't the correct type of REG_DWORD.|
| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.|
| 64 | AllowTelemetry isn't the correct type of REG_DWORD.|
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 67 | Unexpected failure when verifying UTC CSP.|
| 99 | Device isn't Windows 10 or Windows 11.|
| 100 | Device must be Microsoft Entra joined or Microsoft Entra hybrid joined to use Windows Update for Business reports.|

18
windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md
View File

@ -1,7 +1,7 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
@ -12,27 +12,27 @@ ms.localizationpriority: medium
These deadline policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline passes. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the [effective deadline](../wufb-compliancedeadlines.md) occurs. The description doesn't account for changes to the **Display options for update notifications** policy ([Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours)) or other settings that would significantly change the experience.
These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the [effective deadline](../wufb-compliancedeadlines.md) occurs. The description doesn't account for changes to the **Display options for update notifications** policy ([Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours)) or other settings that would significantly change the experience.
# [Windows 11, version 23H2 and later](#tab/w11-23h2-notifications)
The following notifications are what the user sees on Windows 11, version 23H2 and later, depending on the settings chosen by the user and the IT administrator:
When **Specify deadlines for automatic updates and restarts** is set:
When **Specify deadlines for automatic updates and restarts** is set:
While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
- If the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.
- If the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a restart pending state for updates.
:::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png":::
Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours.
Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours.
- If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time.
:::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification" lightbox="../media/9091858-pre-deadline-restart-imminent.png":::
As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification.
As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification.
:::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification." lightbox="../media/9091858-11-dialog-18-hours.png":::
@ -58,14 +58,14 @@ The following notifications are what the user sees on Windows 11, version 22H2 a
When **Specify deadlines for automatic updates and restarts** is set:
For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends.
- If the device is Windows 11, version 22H2 and the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare.
- If the device is Windows 11, version 22H2 and the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a reboot pending state for updates.
:::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png":::
Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer.
Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer.
- If there's still time for an automatic restart to occur after active hours, the dialog displays an option to let the device restart later along with options to restart now or to pick a time to schedule a restart.
- If there's not time for an automatic restart to occur after active hours, the dialog displays options to pick a time to schedule a restart, restart now, or remind the user later.
@ -76,7 +76,7 @@ During this time before the deadline is reached, if they're allowed, automatic r
:::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now, schedule a restart, or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-pre-deadline-restart-imminent.png":::
The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification.
The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification.
:::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-dialog-18-hours.png":::

122
windows/deployment/update/media-dynamic-update.md
View File

@ -6,10 +6,10 @@ ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.reviewer: stevedia
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
@ -38,11 +38,11 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
## Acquire Dynamic Update packages
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results.
You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results.
### Windows Server 2025 Dynamic Update packages
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
| Update packages |Title |
|-----------------------------------|--------------------------------------------------------------------------------------|
@ -161,7 +161,7 @@ Optional Components, along with the .NET feature, can be installed offline. Howe
### Checkpoint cumulative updates
Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
@ -253,13 +253,13 @@ Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContai
### Update WinRE and each main OS Windows edition
The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
```powershell
@ -270,14 +270,14 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
Foreach ($IMAGE in $WINOS_IMAGES)
Foreach ($IMAGE in $WINOS_IMAGES)
{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
if ($IMAGE.ImageIndex -eq "1")
if ($IMAGE.ImageIndex -eq "1")
{
#
@ -288,21 +288,21 @@ Foreach ($IMAGE in $WINOS_IMAGES)
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*")
if ($theError.Exception -like "*0x8007007e*")
{
Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
else
else
{
throw
}
@ -311,42 +311,42 @@ Foreach ($IMAGE in $WINOS_IMAGES)
#
# Optional: Add the language to recovery environment
#
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
{
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
{
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0)
{
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
{
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
}
}
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
{
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@ -363,7 +363,7 @@ Foreach ($IMAGE in $WINOS_IMAGES)
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
}
@ -376,9 +376,9 @@ Foreach ($IMAGE in $WINOS_IMAGES)
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
}
Copy-Item -Path $WORKING_PATH"\winre2.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
#
# update Main OS
#
@ -415,14 +415,14 @@ Foreach ($IMAGE in $WINOS_IMAGES)
{
Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
}
}
# Optional: Add Legacy Features
For ( $index = 0; $index -lt $OC.count; $index++)
{
Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
}
@ -432,14 +432,14 @@ Foreach ($IMAGE in $WINOS_IMAGES)
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup. Some Optional Components might require the image to be booted, and thus
# Perform image cleanup. Some Optional Components might require the image to be booted, and thus
# image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
if ($LastExitCode -eq -2146498554)
{
if ($LastExitCode -eq -2146498554)
{
# We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
# This is likely due to legacy components being added that require online operations.
Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
@ -482,7 +482,7 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES)
Foreach ($IMAGE in $WINPE_IMAGES)
{
# update WinPE
@ -493,17 +493,17 @@ Foreach ($IMAGE in $WINPE_IMAGES)
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*")
if ($theError.Exception -like "*0x8007007e*")
{
Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
else
else
{
throw
}
@ -515,36 +515,36 @@ Foreach ($IMAGE in $WINPE_IMAGES)
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
{
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
{
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0)
if ($INDEX -ge 0)
{
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
{
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
}
}
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
{
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
{
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@ -555,11 +555,11 @@ Foreach ($IMAGE in $WINPE_IMAGES)
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
{
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
}
@ -572,33 +572,33 @@ Foreach ($IMAGE in $WINPE_IMAGES)
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
}
if ($IMAGE.ImageIndex -eq "2")
if ($IMAGE.ImageIndex -eq "2")
{
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
{
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
else
else
{
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
}
# Dismount
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
@ -623,7 +623,7 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
if ($LastExitCode -ne 0)
if ($LastExitCode -ne 0)
{
throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
}
@ -633,7 +633,7 @@ Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sour
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
@ -642,14 +642,14 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
Foreach ($File in $MEDIA_NEW_FILES)
Foreach ($File in $MEDIA_NEW_FILES)
{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
elseif ($File.Name -ieq "bootmgr.efi")
{
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null

114
windows/deployment/update/optional-content.md
View File

@ -6,21 +6,21 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 04/22/2024
---
# Migrating and acquiring optional Windows content during updates
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update).
Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update.
Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update.
## What is optional content?
@ -29,7 +29,7 @@ Optional content includes the following items:
- General Features on Demand also referred to as FODs (for example, Windows Mixed Reality)
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs
- Language packs
- Language packs
Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
@ -39,9 +39,9 @@ The challenges surrounding optional content typically fall into two groups:
### Incomplete operating system updates
The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*.
The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*.
### User-initiated feature acquisition failure
@ -109,7 +109,7 @@ For many organizations, the deployment workflow involves a Configuration Manager
You can customize the Windows image in these ways:
- Applying a cumulative update
- Applying updates to the servicing stack
- Applying updates to the servicing stack
- Applying updates to `Setup.exe` binaries or other files that setup uses for feature updates
- Applying updates for the *safe operating system* (SafeOS) that's used for the Windows recovery environment
- Adding or removing languages
@ -124,11 +124,11 @@ A partial solution to address the first pain point of failing to migrate optiona
When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. <!--Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn't a fatal error. Starting with Windows 10, version 1903,--> We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled).
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting.
### Option 6: Install optional content after deployment
This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality.
This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality.
### Option 7: Configure an alternative source for optional content
@ -161,7 +161,7 @@ Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already
### Creating an optional content repository
To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository.
@ -170,7 +170,7 @@ To get started, we build a repository of optional content and host on a network
$LP_ISO_PATH = "C:\_IMAGE\2004_ISO\CLIENTLANGPACKDVD_OEM_MULTI.iso"
$FOD_ISO_PATH = "C:\_IMAGE\2004_ISO\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
# Declare folders
# Declare folders
$WORKING_PATH = "C:\_IMAGE\BuildRepo"
$MEDIA_PATH = "C:\_IMAGE\2004_SETUP"
@ -178,20 +178,20 @@ $MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
$REPO_PATH = $WORKING_PATH + "\Repo"
# Create folders for mounting image optional content repository
if (Test-Path $MAIN_OS_MOUNT) {
Remove-Item -Path $MAIN_OS_MOUNT -Force -Recurse -ErrorAction stop| Out-Null
if (Test-Path $MAIN_OS_MOUNT) {
Remove-Item -Path $MAIN_OS_MOUNT -Force -Recurse -ErrorAction stop| Out-Null
}
if (Test-Path $REPO_PATH) {
Remove-Item -Path $REPO_PATH -Force -Recurse -ErrorAction stop| Out-Null
if (Test-Path $REPO_PATH) {
Remove-Item -Path $REPO_PATH -Force -Recurse -ErrorAction stop| Out-Null
}
New-Item -ItemType Directory -Force -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
New-Item -ItemType Directory -Force -Path $REPO_PATH -ErrorAction stop| Out-Null
New-Item -ItemType Directory -Force -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
New-Item -ItemType Directory -Force -Path $REPO_PATH -ErrorAction stop| Out-Null
# Mount the main OS, I'll use this throughout the script
Write-Host "Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
Mount-WindowsImage -ImagePath $MEDIA_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
# Mount the LP ISO
Write-Host "Mounting LP ISO"
@ -203,9 +203,9 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "*.cab"
# Mount the FOD ISO
Write-Host "Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
# Export the FODs from the ISO that we are interested in
# Export the FODs from the ISO that we are interested in
Write-Host "Exporting FODs to Repo"
DISM /image:$MAIN_OS_MOUNT /export-source /source:$FOD_PATH /target:$REPO_PATH `
/capabilityname:Accessibility.Braille~~~~0.0.1.0 `
@ -553,11 +553,11 @@ DISM /image:$MAIN_OS_MOUNT /export-source /source:$FOD_PATH /target:$REPO_PATH `
/capabilityname:Windows.Client.ShellComponents~~~~0.0.1.0 `
/capabilityname:Windows.Desktop.EMS-SAC.Tools~~~~0.0.1.0 `
/capabilityname:WMI-SNMP-Provider.Client~~~~0.0.1.0 `
/capabilityname:XPS.Viewer~~~~0.0.1.0
/capabilityname:XPS.Viewer~~~~0.0.1.0
# This one is large, lets skip for now
#/capabilityname:Analog.Holographic.Desktop~~~~0.0.1.0 `
# Copy language caps to the repo
Copy-Item -Path $OS_LP_PATH -Destination $REPO_PATH -Force -ErrorAction stop | Out-Null
@ -568,7 +568,7 @@ Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Discard -ErrorAction ignore | Out-Nu
# Dismount ISO images
Write-Host "Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction ignore | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
```
@ -588,7 +588,7 @@ $OSVERSION_PATH = $OUTPUT_PATH + "sourceVersion.txt"
$REPO_PATH = "Z:\Repo\"
$LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\"
Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Function Log
{
@ -600,7 +600,7 @@ Function Log
$M = "$(Get-TS): PreInstall: $MESSAGE"
Write-Host $M
Add-Content -Path $LOG_PATH -Value $M
}
Function IsLangFile
@ -612,7 +612,7 @@ Function IsLangFile
if (($PATH -match '[-_~]ar[-_~]') -or ($PATH -match '[-_~]bg[-_~]') -or ($PATH -match '[-_~]cs[-_~]') -or `
($PATH -match '[-_~]da[-_~]') -or ($PATH -match '[-_~]de[-_~]') -or ($PATH -match '[-_~]el[-_~]') -or `
($PATH -match '[-_~]en[-_~]') -or ($PATH -match '[-_~]es[-_~]') -or ($PATH -match '[-_~]et[-_~]') -or `
($PATH -match '[-_~]en[-_~]') -or ($PATH -match '[-_~]es[-_~]') -or ($PATH -match '[-_~]et[-_~]') -or `
($PATH -match '[-_~]fi[-_~]') -or ($PATH -match '[-_~]fr[-_~]') -or ($PATH -match '[-_~]he[-_~]') -or `
($PATH -match '[-_~]hr[-_~]') -or ($PATH -match '[-_~]hu[-_~]') -or ($PATH -match '[-_~]it[-_~]') -or `
($PATH -match '[-_~]ja[-_~]') -or ($PATH -match '[-_~]ko[-_~]') -or ($PATH -match '[-_~]lt[-_~]') -or `
@ -643,7 +643,7 @@ Log "OS Version: $($OSINFO.Version)"
Add-Content -Path $OSVERSION_PATH -Value $OSINFO.Version
# Get installed languages from international settings
$INTL = DISM.exe /Online /Get-Intl /English
$INTL = DISM.exe /Online /Get-Intl /English
# Save only output lines with installed languages
$LANGUAGES = $INTL | Select-String -SimpleMatch 'Installed language(s)'
@ -659,22 +659,22 @@ $SYSLANG = $SYSLANG | ForEach-Object {$_.Line.Replace("Default system UI languag
# Save these languages
Log "Default system UI language on source OS: $($SYSLANG)"
ForEach ($ITEM in $LANGUAGES) {
ForEach ($ITEM in $LANGUAGES) {
Log "Installed language on source OS: $($ITEM)"
Add-Content -Path $LANG_PATH -Value $ITEM
}
# Get and save installed packages, we'll use this for debugging
$PACKAGES = Get-WindowsPackage -Online
ForEach ($ITEM in $PACKAGES) {
ForEach ($ITEM in $PACKAGES) {
if($ITEM.PackageState -eq "Installed") {
Log "Package $($ITEM.PackageName) is installed"
Log "Package $($ITEM.PackageName) is installed"
}
}
# Get and save capabilities
$CAPABILITIES = Get-WindowsCapability -Online
ForEach ($ITEM in $CAPABILITIES) {
$CAPABILITIES = Get-WindowsCapability -Online
ForEach ($ITEM in $CAPABILITIES) {
if($ITEM.State -eq "Installed") {
Log "Capability $($ITEM.Name) is installed"
Add-Content -Path $CAP_PATH -Value $ITEM.Name
@ -688,10 +688,10 @@ ForEach ($FILE in $REPO_FILES) {
If (!(Test-Path $Path)) {
New-Item -ItemType Directory -Path $PATH -Force | Out-Null
}
If ((IsLangFile $FILE.Name)) {
If ((IsLangFile $FILE.Name)) {
# Only copy those files where we need the primary languages from the source OS
ForEach ($ITEM in $LANGUAGES) {
ForEach ($ITEM in $LANGUAGES) {
if ($FILE.Name -match $Item) {
If (!(Test-Path (Join-Path $Path $File.Name))) {
@ -701,7 +701,7 @@ ForEach ($FILE in $REPO_FILES) {
else {
Log "File $($FILE.Name) already exists in local repository"
}
}
}
}
} Else {
@ -717,12 +717,12 @@ ForEach ($FILE in $REPO_FILES) {
}
Log ("Exiting")
```
### Adding optional content in the target operating system
After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step.
After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step.
```powershell
@ -735,7 +735,7 @@ $LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\"
$LCU_PATH = $OUTPUT_PATH + "Windows10.0-KB4565503-x64_PSFX.cab"
$PENDING = $false
Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Function Log
{
@ -747,7 +747,7 @@ Function Log
$M = "$(Get-TS): PostInstall: $MESSAGE"
Write-Host $M
Add-Content -Path $LOG_PATH -Value $M
}
Log "Starting"
@ -765,7 +765,7 @@ if (!(Test-Path $LANG_PATH) -or !(Test-Path $CAP_PATH) -or !(Test-Path $OSVERSIO
else {
# Retrive OS version from source OS
$SOURCE_OSVERSION = Get-Content -Path $OSVERSION_PATH
$SOURCE_OSVERSION = Get-Content -Path $OSVERSION_PATH
if ($OSINFO.Version -eq $SOURCE_OSVERSION) {
Log "OS Version hasn't changed."
}
@ -773,10 +773,10 @@ else {
else {
# Retrive language list from source OS
$SOURCE_LANGUAGES = Get-Content -Path $LANG_PATH
$SOURCE_LANGUAGES = Get-Content -Path $LANG_PATH
# Get installed languages from International Settings
$INTL = DISM.exe /Online /Get-Intl /English
$INTL = DISM.exe /Online /Get-Intl /English
# Save System Language, save only output line with default system language
$SYS_LANG = $INTL | Select-String -SimpleMatch 'Default system UI language'
@ -786,53 +786,53 @@ else {
# Get and save installed packages, we'll use this for debugging
$PACKAGES = Get-WindowsPackage -Online
ForEach ($ITEM in $PACKAGES) {
ForEach ($ITEM in $PACKAGES) {
if($ITEM.PackageState -eq "Installed") {
Log "Package $($ITEM.PackageName) is installed"
}
}
# Loop through source OS languages, and install if missing on target OS
ForEach ($SOURCE_ITEM in $SOURCE_LANGUAGES) {
ForEach ($SOURCE_ITEM in $SOURCE_LANGUAGES) {
if ($SOURCE_ITEM -ne $SYS_LANG) {
# add missing languages except the system language
Log "Adding language Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab"
try {
Add-WindowsPackage -Online -PackagePath "$($LOCAL_REPO_PATH)\Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" -ErrorAction stop | Out-Null
Add-WindowsPackage -Online -PackagePath "$($LOCAL_REPO_PATH)\Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" -ErrorAction stop | Out-Null
}
catch {
Log $_.Exception.Message
}
}
}
# Retrieve capabilities from source OS and target OS
$SOURCE_CAPABILITIES = Get-Content -Path $CAP_PATH
$CAPABILITIES = Get-WindowsCapability -Online
$CAPABILITIES = Get-WindowsCapability -Online
# Loop through source OS capabilities, and install if missing on target OS
ForEach ($SOURCE_ITEM in $SOURCE_CAPABILITIES) {
ForEach ($SOURCE_ITEM in $SOURCE_CAPABILITIES) {
$INSTALLED = $false
ForEach ($ITEM in $CAPABILITIES) {
ForEach ($ITEM in $CAPABILITIES) {
if ($ITEM.Name -eq $($SOURCE_ITEM)) {
if ($ITEM.State -eq "Installed") {
$INSTALLED = $true
break
}
}
}
}
# Add if not already installed
if (!($INSTALLED)) {
Log "Adding capability $SOURCE_ITEM"
try {
Add-WindowsCapability -Online -Name $SOURCE_ITEM -Source $LOCAL_REPO_PATH -ErrorAction stop | Out-Null
Add-WindowsCapability -Online -Name $SOURCE_ITEM -Source $LOCAL_REPO_PATH -ErrorAction stop | Out-Null
}
catch {
Log $_.Exception.Message
}
}
}
else {
Log "Capability $SOURCE_ITEM is already installed"
}
@ -840,11 +840,11 @@ else {
# Add LCU, this is required after adding FODs and languages
Log ("Adding LCU")
Add-WindowsPackage -Online -PackagePath $LCU_PATH -NoRestart
Add-WindowsPackage -Online -PackagePath $LCU_PATH -NoRestart
# Get packages, we'll use this for debugging and to see if we need to restart to install
$PACKAGES = Get-WindowsPackage -Online
ForEach ($ITEM in $PACKAGES) {
ForEach ($ITEM in $PACKAGES) {
Log "Package $($ITEM.PackageName) is $($ITEM.PackageState)"
if ($ITEM.PackageState -eq "InstallPending") {
$PENDING = $true

4
windows/deployment/update/plan-define-readiness.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017

8
windows/deployment/update/plan-define-strategy.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -30,7 +30,7 @@ Here's a calendar showing an example schedule that applies one Windows feature u
[ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update.
This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update.
This cadence might be most suitable for you if any of these conditions apply:
@ -38,6 +38,6 @@ This cadence might be most suitable for you if any of these conditions apply:
- You want to wait and see how successful other companies are at adopting a Windows feature update.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change.
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change.

2
windows/deployment/update/prepare-deploy-windows.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: concept-article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

2
windows/deployment/update/release-cycle.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

6
windows/deployment/update/safeguard-holds.md
View File

@ -6,12 +6,12 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
@ -47,5 +47,5 @@ We recommend that you don't attempt to manually update until issues have been re
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
With that in mind, IT admins who stay informed with [Windows Update for Business reports](wufb-reports-overview.md) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.

14
windows/deployment/update/safeguard-opt-out.md
View File

@ -1,14 +1,14 @@
---
title: Opt out of safeguard holds
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 10/21/2020
@ -21,15 +21,15 @@ Safeguard holds prevent a device with a known compatibility issue from being off
## How can I opt out of safeguard holds?
IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update client policies devices running the following operating systems:
- Windows 11
- Windows 11
- Windows 10, version 1809, or later, with the October 2020 security update.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
> Opting out of a safeguard hold can put devices at risk from known performance issues.
We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues.
Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues.
> [!NOTE]
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.

8
windows/deployment/update/servicing-stack-updates.md
View File

@ -6,12 +6,12 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- highpri
- tier2
ms.localizationpriority: high
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server </a>
@ -34,9 +34,9 @@ Servicing stack updates provide fixes to the servicing stack, the component that
## What's the difference between a servicing stack update and a cumulative update?
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates.
Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates.
Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article.
Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article.
## When are they released?

28
windows/deployment/update/update-baseline.md
View File

@ -6,9 +6,9 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
@ -18,20 +18,20 @@ ms.date: 12/31/2017
> [!NOTE]
> Update Baseline isn't currently available for Windows 11.
With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
## Why is Update Baseline needed?
## Why is Update Baseline needed?
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations.
## You can use Update Baseline to:
## You can use Update Baseline to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline.
Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when.
Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when.
## Policies included in the Update Baseline
## Policies included in the Update Baseline
The Update Baseline configures settings in these Group Policy areas:
@ -39,11 +39,11 @@ The Update Baseline configures settings in these Group Policy areas:
- Windows Components/Delivery Optimization
- Windows Components/Windows Update
For the complete detailed list of all settings and their values, see the MSFT Windows Update.htm file in the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) at theDownload Center
For the complete detailed list of all settings and their values, see the MSFT Windows Update.htm file in the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) at theDownload Center
## How do I get started?
## How do I get started?
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from theDownload Center.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from theDownload Center.
Today, the Update Baseline toolkit is currently only available for use with Group Policy.
Today, the Update Baseline toolkit is currently only available for use with Group Policy.

2
windows/deployment/update/update-managed-unmanaged-devices.md
View File

@ -8,7 +8,7 @@ ms.date: 06/25/2024
author: v-fvalentyna
ms.author: v-fvalentyna
ms.reviewer: mstewart,thtrombl,arcarley
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

2
windows/deployment/update/update-other-microsoft-products.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: reference
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

2
windows/deployment/update/update-policies.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

20
windows/deployment/update/waas-branchcache.md
View File

@ -6,27 +6,27 @@ ms.subservice: itpro-updates
ms.topic: article
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
> [!TIP]
> Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
> Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](/previous-versions/windows/it-pro/windows-7/dd637832(v=ws.10)).
For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](/previous-versions/windows/it-pro/windows-7/dd637832(v=ws.10)).
## Configure clients for BranchCache
@ -34,12 +34,12 @@ Whether you use BranchCache with Configuration Manager or WSUS, each client that
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
> [!Note]
> [!Note]
> [Bypass Download mode (100)](../do/waas-delivery-optimization-reference.md#download-mode) is only available in Windows 10 (starting in version 1607) and deprecated in Windows 11. BranchCache isn't supported for content downloaded using Delivery Optimization in Windows 11. <!--8530422-->
## Configure servers for BranchCache
You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager.
You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager.
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows Update client policies
manager: aaroncz
manager: bpardi
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update client policies for your devices.
ms.service: windows-client
author: mestew

2
windows/deployment/update/waas-integrate-wufb.md
View File

@ -6,7 +6,7 @@ ms.subservice: itpro-updates
ms.topic: integration
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>

96
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -6,34 +6,34 @@ ms.subservice: itpro-updates
ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
manager: bpardi
ms.collection:
- highpri
- tier2
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
- ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
ms.date: 04/22/2024
---
# Deploy Windows client updates using Windows Server Update Services (WSUS)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update client policies but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
## Requirements for Windows client servicing with WSUS
To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version:
To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version:
- WSUS 10.0.14393 (role in Windows Server 2016)
- WSUS 10.0.17763 (role in Windows Server 2019)
- WSUS 10.0.17763 (role in Windows Server 2019)
- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
@ -45,7 +45,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services).
@ -57,15 +57,15 @@ When using WSUS to manage updates on Windows client devices, start by configurin
1. Open Group Policy Management Console (gpmc.msc).
2. Expand *Forest\Domains\\*Your_Domain**.
2. Expand *Forest\Domains\\*Your_Domain**.
3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png)
![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png)
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**.
5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**.
@ -75,20 +75,20 @@ When using WSUS to manage updates on Windows client devices, start by configurin
7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**.
![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**.
![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
>[!IMPORTANT]
> Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
> [!NOTE]
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
> There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates).
10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
@ -96,9 +96,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png)
>[!NOTE]
>The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@ -109,16 +109,16 @@ As Windows clients refresh their computer policies (the default Group Policy ref
>[!NOTE]
>The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
**To create computer groups in the WSUS Administration Console**
1. Open the WSUS Administration Console.
1. Open the WSUS Administration Console.
2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**.
2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**.
![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups.
@ -129,7 +129,7 @@ Now that the groups have been created, add the computers to the computer groups
## Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
@ -164,7 +164,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
3. In the search results, select the computers, right-click the selection, and then select **Change Membership**.
![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**.
You can now see these computers in the **Ring 3 Broad IT** computer group.
@ -181,12 +181,12 @@ The WSUS Administration Console provides a friendly interface from which you can
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**.
![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**.
>[!NOTE]
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
**To configure client-side targeting**
@ -205,7 +205,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**.
![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click **Enable client-side targeting**, and then select **Edit**.
@ -221,7 +221,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
10. Close the Group Policy Management Editor.
Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
**To scope the GPO to a group**
@ -232,8 +232,8 @@ Now you're ready to deploy this GPO to the correct computer security group for t
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring.
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring.
## Automatically approve and deploy feature updates
@ -253,13 +253,13 @@ This example uses Windows 10, but the process is the same for Windows 11.
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**.
5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**.
7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
@ -267,7 +267,7 @@ This example uses Windows 10, but the process is the same for Windows 11.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**.
![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
9. In the **Automatic Approvals** dialog box, select **OK**.
>[!NOTE]
@ -285,7 +285,7 @@ You can manually approve updates and set deadlines for installation within the W
To simplify the manual approval process, start by creating a software update view that contains only Windows 10 (in this example) updates. The process is the same for Windows 11 updates.
> [!NOTE]
> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.
> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.
**To approve and deploy feature updates manually**
@ -298,7 +298,7 @@ To simplify the manual approval process, start by creating a software update vie
4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**.
Windows 10 is under All Products\Microsoft\Windows.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**.
![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
@ -309,21 +309,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
2. Right-click the feature update you want to deploy, and then select **Approve**.
![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)
![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)
3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png)
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**.
![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png)
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**.
![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png)
![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png)
5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**.
If the deployment is successful, you should receive a successful progress report.
![A sample successful deployment.](images/waas-wsus-fig20.png)
![A sample successful deployment.](images/waas-wsus-fig20.png)
6. In the **Approval Progress** dialog box, select **Close**.

Some files were not shown because too many files have changed in this diff Show More