deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into vp-csp-clouddesktop

Browse Source
This commit is contained in:
Vinay Pamnani
2024-08-07 16:49:55 -06:00
committed by GitHub
parent 4ef92e7b6e 857fd46a95
commit bf13f929fc
10 changed files with 47 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -17,7 +17,7 @@ metadata:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 05/23/2024
ms.date: 08/06/2024
title: Frequently Asked Questions about Delivery Optimization
summary: |
This article answers frequently asked questions about Delivery Optimization.
@ -29,6 +29,7 @@ summary: |
- [How are downloads initiated by Delivery Optimization?](#how-are-downloads-initiated-by-delivery-optimization)
- [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
- [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization)
- [My download is failing with error code 0x80d03002, how do I fix it?](#my-download-is-failing-with-error-code-0x80d03002--how-do-i-fix-it)
**Network related configuration questions**:
@ -68,11 +69,17 @@ sections:
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download with error code 0x80d03002. Starting in Windows 11, Download mode '100' is deprecated.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- question: My download is failing with error code 0x80d03002, how do I fix it?
answer: |
If you set the DownloadMode policy to '100' (Bypass) some content downloads that require Delivery Optimization may fail with error code 0x80d03002.
If you intend to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
- name: Network related configuration questions
questions:
- question: Which ports does Delivery Optimization use?

3
windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
View File

@ -77,7 +77,7 @@ Evaluate Windows Autopatch with around 50 devices to ensure the service meets yo
| ----- | ----- |
| **2A: Review reporting capabilities** | <ul><li>[Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)</li><li>[Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)</li><li>[Windows Update for Business (WUfB) reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report)</li></ul>Windows Autopatch quality and feature update reports provide a progress view on the latest update cycle for your devices. These reports should be reviewed often to ensure you understand the update state of your Windows Autopatch devices.<br><br>There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports.<br><br>For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the [Windows feature update device readiness](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-device-readiness-report) and [Windows feature update compatibility risks reports](/mem/intune/protect/windows-update-compatibility-reports#use-the-windows-feature-update-compatibility-risks-report) in Intune.|
| **2B: Review operational changes** | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.<br><ul><li>Identify service desk and end user computing process changes</li><li>Identify any alignment with third party support agreements</li><li>Review the default Windows Autopatch support process and alignment with your existing Premier and Unified support options</li><li>Identify IT admin process change & service interaction points</li></ul> |
| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.<ul><li>[Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li>[Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)<li>[Microsoft Edge](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md)</li></ul><br>Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:<br><ul><li>Gain knowledge and experience in identifying and resolving update issues more effectively</li><li>Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes</li></ul><br>Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). |
| **2C: Educate end users and key stakeholders**| Educate your end users by creating guides for the Windows Autopatch end user experience.<ul><li>[Windows quality updates](../manage/windows-autopatch-windows-quality-update-end-user-exp.md)</li><li>[Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md)</li>[Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md)<li>[Microsoft Edge](../manage/windows-autopatch-edge.md)</li><li>[Microsoft Teams](../manage/windows-autopatch-teams.md)</li></ul><br>Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:<br><ul><li>Gain knowledge and experience in identifying and resolving update issues more effectively</li><li>Prepare them to support production rollouts. Knowledgeable help desk and support teams also help end users adopt to changes</li></ul><br>Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the [Windows Autopatch demo site](https://aka.ms/autopatchdemo). |
| **2D: Pilot planning** | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. |
### Step three: Pilot
@ -331,4 +331,3 @@ Once you're underway with your deployment, consider joining the [Windows Commerc
- Surveys
- Teams discussions
- Previews

2
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -108,7 +108,7 @@ sections:
The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable.
- question: Can you customize the scheduling of an update rollout to only install on certain days and times?
answer: |
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-windows-quality-update-end-user-exp.md) to prevent users from updating during business hours.
No, you can't customize update scheduling. However, you can specify [active hours](../manage/windows-autopatch-windows-quality-update-end-user-exp.md) to prevent users from updating during business hours.
- question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
answer: |
Windows Autopatch doesn't support managing update deployment ring membership using your Microsoft Entra groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).

62
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -15,13 +15,13 @@ ms.collection:
- tier1
---
# Roles and responsibilities
# Roles and responsibilities
This article outlines your responsibilities and Windows Autopatch's responsibilities when:
- [Preparing to enroll into the Windows Autopatch service](#prepare)
- [Deploying the service](#deploy)
- [Operating with the service](#operate)
- [Operating with the service](#manage)
## Prepare
@ -47,10 +47,10 @@ For more information and assistance with preparing for your Windows Autopatch de
| ----- | :-----: | :-----: |
| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Intune | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Edge end user experience](../operate/windows-autopatch-edge.md)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../manage/windows-autopatch-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../manage/windows-autopatch-manage-windows-feature-update-releases.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Edge end user experience](../manage/windows-autopatch-edge.md)</li><li>[Microsoft Teams end user experience](../manage/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
| Review network optimization<ul><li>[Prepare your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Delivery Optimization](../prepare/windows-autopatch-configure-network.md#delivery-optimization) | :heavy_check_mark: | :x: |
| Review existing configurations<ul><li>Remove your devices from existing unsupported [Windows Update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</li></ul>| :heavy_check_mark: | :x: |
| Confirm your update service needs and configure your workloads<ul><li>[Turn on or off expedited Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases)</li><li>[Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)</li><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-windows-update.md)</li><li>Decide your [Windows feature update versions(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul>| :heavy_check_mark: | :x: |
| Confirm your update service needs and configure your workloads<ul><li>[Turn on or off expedited Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#expedited-releases)</li><li>[Allow or block Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates)</li><li>[Manage driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../manage/windows-autopatch-customize-windows-update-settings.md)</li><li>Decide your [Windows feature update versions(s)](../manage/windows-autopatch-windows-feature-update-overview.md)</li></ul>| :heavy_check_mark: | :x: |
| [Consider your Autopatch groups distribution](../deploy/windows-autopatch-groups-overview.md)<ul><li>[Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
| [Register devices](../deploy/windows-autopatch-register-devices.md)<ul><li>[Review your device registration options](../deploy/windows-autopatch-device-registration-overview.md)</li><li>[Register your first devices](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
@ -61,42 +61,42 @@ For more information and assistance with preparing for your Windows Autopatch de
| Review device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Device conflict across different Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-across-different-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
| Communicate to end-users, help desk and stakeholders | :heavy_check_mark: | :x: |
## Operate
## Manage
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
| [Maintain contacts in the Microsoft Intune admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| [Maintain and manage the Windows Autopatch service configuration](../monitor/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../monitor/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| Resolve service remediated device conflict scenarios<ul><li>[Device conflict in deployment rings within an Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-in-deployment-rings-within-an-autopatch-group)</li><li>[Default to Custom Autopatch group device conflict](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#default-to-custom-autopatch-group-device-conflict)</li></ul> | :x: | :heavy_check_mark: |
| Resolve remediated device conflict scenarios<ul><li>[Custom to Custom Autopatch group device conflict](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#custom-to-custom-autopatch-group-device-conflict)</li><li>[Device conflict prior to device registration](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#device-conflict-prior-to-device-registration)</li></ul> | :heavy_check_mark: | :x: |
| Maintain the Test and Last deployment ring membership<ul><li>[Default Windows Autopatch deployment rings](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group)</li><li>[Custom Windows Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)</li></ul> | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) for safe update release<ul><li>[Pre-release signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#pre-release-signals)</li><li>[Early signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#early-signals)</li><li>[Device reliability signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md#device-reliability-signals)</li></ul> | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
| [Define and implement service default release schedule](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
| Maintain your workload configuration and custom release schedule<ul><li>[Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md)</li><li>[Decide your Windows feature update version(s)](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li></ul> | :heavy_check_mark: | :x: |
| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) to IT admins | :x: | :heavy_check_mark: |
| Release updates (as scheduled)<ul><li>[Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-management)</li><li>[Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
| [Release updates (OOB)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#out-of-band-releases) | :x: | :heavy_check_mark: |
| Monitor [Windows update signals](../manage/windows-autopatch-windows-quality-update-signals.md) for safe update release<ul><li>[Pre-release signals](../manage/windows-autopatch-windows-quality-update-signals.md#pre-release-signals)</li><li>[Early signals](../manage/windows-autopatch-windows-quality-update-signals.md#early-signals)</li><li>[Device reliability signals](../manage/windows-autopatch-windows-quality-update-signals.md#device-reliability-signals)</li></ul> | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../manage/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
| [Define and implement service default release schedule](../manage/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
| Maintain your workload configuration and custom release schedule<ul><li>[Manage driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md)</li><li>[Customize Windows Update settings](../manage/windows-autopatch-customize-windows-update-settings.md)</li><li>[Decide your Windows feature update version(s)](../manage/windows-autopatch-windows-feature-update-overview.md)</li></ul> | :heavy_check_mark: | :x: |
| Communicate the update [release schedule](../manage/windows-autopatch-windows-quality-update-communications.md) to IT admins | :x: | :heavy_check_mark: |
| Release updates (as scheduled)<ul><li>[Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#release-management)</li><li>[Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md)</li><li>[Microsoft 365 Apps for enterprise](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../manage/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../manage/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../manage/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
| [Release updates (OOB)](../manage/windows-autopatch-windows-quality-update-overview.md#out-of-band-releases) | :x: | :heavy_check_mark: |
| [Deploy updates to devices](../operate/windows-autopatch-groups-update-management.md) | :x: | :heavy_check_mark: |
| Monitor [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-management) or [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: |
| Review [release announcements](../operate/windows-autopatch-groups-windows-quality-update-overview.md#) | :heavy_check_mark: | :x: |
| Review deployment progress using Windows Autopatch reports<ul><li>[Windows quality update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)</li><li>[Windows feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)</li></ul> | :heavy_check_mark: | :x: |
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
| Monitor [Windows quality](../manage/windows-autopatch-windows-quality-update-overview.md#release-management) or [feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: |
| Review [release announcements](../manage/windows-autopatch-windows-quality-update-overview.md#) | :heavy_check_mark: | :x: |
| Review deployment progress using Windows Autopatch reports<ul><li>[Windows quality update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#windows-quality-update-reports)</li><li>[Windows feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#windows-feature-update-reports)</li></ul> | :heavy_check_mark: | :x: |
| [Pause updates (Windows Autopatch initiated)](../manage/windows-autopatch-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../manage/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
| Maintain existing configurations<ul><li>Remove your devices from existing and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies</li><li>Consult [General considerations](../overview/windows-autopatch-deployment-guide.md#general-considerations)</ul> | :heavy_check_mark: | :x: |
| Understand the health of [Up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../operate/windows-autopatch-device-alerts.md)</li><li>have [conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul>
| Understand the health of [Up to date](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices and investigate devices that are<ul><li>[Not up to date](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices)</li><li>[Not ready](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#not-ready-devices)</li><li>have [Device alerts](../monitor/windows-autopatch-device-alerts.md)</li><li>have [conflicting configurations](../references/windows-autopatch-conflicting-configurations.md)</li></ul> | | |
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Exclude a device](../operate/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously excluded](../operate/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and exclude devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: |
| Review and respond to Windows Autopatch management alerts<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
| [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
| [Exclude a device](../manage/windows-autopatch-exclude-device.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously excluded](../manage/windows-autopatch-exclude-device.md#restore-a-device-or-multiple-devices-previously-excluded) | :heavy_check_mark: | :x: |
| [Request unenrollment from Windows Autopatch](../manage/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and exclude devices](../manage/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../manage/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality update communications](../manage/windows-autopatch-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| Highlight Windows Autopatch management alerts that require customer action<ul><li>[Tenant management alerts](../monitor/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :x: | :heavy_check_mark: |
| Review and respond to Windows Autopatch management alerts<ul><li>[Tenant management alerts](../monitor/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../manage/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
| [Manage and respond to support requests](../manage/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
| Review the [What's new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |

8
windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
View File

@ -37,8 +37,6 @@ The most common sources of conflicting configurations include:
```cmd
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer String=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer Value=Any
Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any
```
@ -90,8 +88,6 @@ Copy and paste the following PowerShell script into PowerShell or a PowerShell e
```powershell
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableWindowsUpdateAccess"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "WUServer"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate"
```
@ -104,8 +100,6 @@ Copy and paste the following code into a text editor, and save it with a `.cmd`
echo Deleting registry keys...
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f
echo Registry keys deleted.
Pause
@ -120,9 +114,7 @@ Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=-
"DisableWindowsUpdateAccess"=-
"WUServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=-
"NoAutoUpdate"=-
```

2
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -147,7 +147,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Software update management](../operate/windows-autopatch-groups-update-management.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows quality update overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows quality update end user experience](../manage/windows-autopatch-windows-quality-update-end-user-exp.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows quality update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
| [Windows feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |

14
windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
View File

@ -96,20 +96,6 @@ An attacker might modify the boot manager configuration database (BCD), which is
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware, and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue), it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.
The PCR values map to:
- `PCR 4: Boot Manager`
- `PCR 7: Secure Boot State`
- `PCR 11: BitLocker access control`
> [!TIP]
> To check what PCRs are in use, execute the following command:
> ```cmd
> manage-bde.exe -protectors -get c:
> ```
## Attacker countermeasures
The following sections cover mitigations for different types of attackers.

3
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
View File

@ -26,6 +26,3 @@ When this policy is enabled and the hardware is capable of using Secure Boot for
|--|--|
| **CSP** | Not available |
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
> [!NOTE]
> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.

2
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md
View File

@ -26,8 +26,6 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to
> [!NOTE]
> When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11).
>
> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.
The following list identifies all of the available PCRs:

5
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 07/09/2024
ms.date: 08/05/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b
| Feature | Details and mitigation | Deprecation announced |
|---|---|---|
| Adobe Type1 fonts <!--9183716-->| Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. </br></br> In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
| DirectAccess <!--8713507-->| DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
| NTLM <!--8396018-->| All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see[Resources for deprecated features](deprecated-features-resources.md). | June 2024 |
| Driver Verifier GUI (verifiergui.exe) <!--8995057--> | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
@ -103,7 +104,7 @@ The features in this article are no longer being actively developed, and might b
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. As part of this change, we will stop supporting the Device Syncing Settings and App Data report. All other **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: </br> - Windows 11 </br> - Windows 10, version 21H2, or later | 1709 |
|Sync your settings (updated: July, 30, 2024) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. As part of this change, we will stop supporting the Device Syncing Settings and App Data report. All other **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: </br> - Windows 11 </br> - Windows 10, version 21H2, or later | 1709 |
|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |