From 0d1cefddef9c88ddedcc7993e3b22756e9d10c66 Mon Sep 17 00:00:00 2001 From: v-pegao Date: Thu, 26 Dec 2019 15:12:21 +0800 Subject: [PATCH 01/24] Remove double quote --- windows/deployment/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 9530728934..33f5976173 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -28,7 +28,7 @@ sections: - href: windows-10-deployment-scenarios html:

Understand the different ways that Windows 10 can be deployed

image: - src: https://docs.microsoft.com/media/common/i_deploy.svg" + src: https://docs.microsoft.com/media/common/i_deploy.svg title: Windows 10 deployment scenarios - href: update html:

Update Windows 10 in the enterprise

From 81b25acdc95ecf7024d3bf59c45d74bff20a6d91 Mon Sep 17 00:00:00 2001 From: Mati Goldberg Date: Fri, 10 Apr 2020 03:38:03 +0300 Subject: [PATCH 02/24] added missing endpoints --- .../microsoft-defender-atp/microsoft-defender-atp-mac.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index a22b112426..fe71625482 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -74,9 +74,9 @@ The following table lists the services and their associated URLs that your netwo | Service location | DNS record | | ---------------------------------------- | ----------------------- | | Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com | -| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net 
usseu1westprod.blob.core.windows.net | -| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net 
ussuk1westprod.blob.core.windows.net | -| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net 
ussus1westprod.blob.core.windows.net | +| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net 
usseu1westprod.blob.core.windows.net
winatp-gw-weu.microsoft.com
winatp-gw-neu.microsoft.com | +| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net 
ussuk1westprod.blob.core.windows.net
winatp-gw-ukw.microsoft.com
winatp-gw-uks.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net 
ussus1westprod.blob.core.windows.net
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Proxy auto-config (PAC) From 0de78dc058a0d8bc875833e487f59b2f4347733d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 21 Apr 2020 13:11:37 -0700 Subject: [PATCH 03/24] update topic --- .../configure-server-endpoints.md | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index e7da43acc6..9a9e8530ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -43,26 +43,15 @@ The service supports the onboarding of the following servers: For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). -> [!NOTE] -> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: -- **Option 1**: Onboard through Azure Security Center -- **Option 2**: Onboard through Microsoft Defender Security Center +- **Option 1**: Onboard through Microsoft Defender Security Center +- **Option 2**: Onboard through Azure Security Center -### Option 1: Onboard servers through Azure Security Center -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - -2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. - -3. Click **Onboard Servers in Azure Security Center**. - -4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). - -### Option 2: Onboard servers through Microsoft Defender Security Center +### Option 1: Onboard servers through Microsoft Defender Security Center You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. - For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: @@ -125,6 +114,19 @@ Once completed, you should see onboarded servers in the portal within an hour. - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +### Option 2: Onboard servers through Azure Security Center +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. + +3. Click **Onboard Servers in Azure Security Center**. + +4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). + +> [!NOTE] +> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) + ## Windows Server, version 1803 and Windows Server 2019 To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below. @@ -169,7 +171,7 @@ Support for Windows Server, provide deeper insight into activities happening on ## Integration with Azure Security Center -Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). From 5e5d8d9c57f63f4641123a154da9d52bb60104fc Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 22 Apr 2020 12:49:29 -0700 Subject: [PATCH 04/24] add note --- .../microsoft-defender-atp/configure-server-endpoints.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 9a9e8530ab..f060b6bc94 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -51,6 +51,11 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 - **Option 1**: Onboard through Microsoft Defender Security Center - **Option 2**: Onboard through Azure Security Center +> [!NOTE] +> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or +an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). + + ### Option 1: Onboard servers through Microsoft Defender Security Center You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. @@ -124,8 +129,7 @@ Once completed, you should see onboarded servers in the portal within an hour. 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). -> [!NOTE] -> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) + ## Windows Server, version 1803 and Windows Server 2019 To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below. From c730491beef8f28e83cfcd514f7fe7da16277b1a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 22 Apr 2020 13:19:12 -0700 Subject: [PATCH 05/24] fix line --- .../microsoft-defender-atp/configure-server-endpoints.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index f060b6bc94..a2550f9980 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -52,8 +52,7 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 - **Option 2**: Onboard through Azure Security Center > [!NOTE] -> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or -an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Microsoft defender ATP standalone server license is required, per node, in order to onboard the server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard servers through Microsoft Defender Security Center From e28f537634559e97623c9a2ee9b5c3aaefdf757a Mon Sep 17 00:00:00 2001 From: illfated Date: Thu, 23 Apr 2020 22:35:19 +0200 Subject: [PATCH 06/24] Identity Protection/VPN: grammar, links & spacing As reported in issue ticket #6556 (Traffic filter sentence incomplete), there is a missing part in the sentence "Network admins to effectively add interface specific firewall rules on the VPN Interface." to make it work as a full descriptive sentence in this context. This PR aims to correct this issue, in addition to various other adjustments. Thanks to klishb for reporting this issue. Changes proposed: - Add the missing part of the Traffic Filters sentence - Update 2 outdated and permanently redirected MSDN links - Uppercase adjustments for "Traffic filters" & "Lockdown" - Add MarkDown indent marker compatibility spacing in the Note blob - Reduce bullet point spacing from 3 to 1 in the "Applies to" section - Remove all redundant end-of-line spacing - Add missing space after the corrected sentence (after the period) Ticket closure or reference: Closes #6556 --- .../vpn/vpn-security-features.md | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 18e7b41ec9..22517e110c 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -8,7 +8,7 @@ ms.pagetype: security, networking author: dulcemontemayor ms.localizationpriority: medium ms.date: 07/27/2017 -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp --- @@ -16,8 +16,8 @@ ms.author: dansimp # VPN security features **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile ## LockDown VPN @@ -29,51 +29,50 @@ A VPN profile configured with LockDown secures the device to only allow network - The user cannot delete or modify the VPN profile. - The VPN LockDown profile uses forced tunnel connection. - If the VPN connection is not available, outbound network traffic is blocked. -- Only one VPN LockDown profile is allowed on a device. +- Only one VPN LockDown profile is allowed on a device. ->[!NOTE] ->For built-in VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. - -Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. +> [!NOTE] +> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type. +Deploy this feature with caution as the resultant connection will not be able to send or receive any network traffic without the VPN being connected. ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. -The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: +The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include: - Core functionality: File encryption and file access blocking - UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations - WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN - Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN -The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. +The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app. Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) -## Traffic filters +## Traffic Filters -Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins to effectively add interface specific firewall rules on the VPN Interface.There are two types of Traffic Filter rules: +Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN Interface. There are two types of Traffic Filter rules: - App-based rules. With app-based rules, a list of applications can be marked such that only traffic originating from these apps is allowed to go over the VPN interface. - Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified such that only traffic matching these rules is allowed to go over the VPN interface. -There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. +There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level. -For example, an admin could define rules that specify: +For example, an admin could define rules that specify: -- The Contoso HR App must be allowed to go through the VPN and only access port 4545. +- The Contoso HR App must be allowed to go through the VPN and only access port 4545. - The Contoso finance apps is allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889. -- All other apps on the device should be able to access only ports 80 or 443. +- All other apps on the device should be able to access only ports 80 or 443. ## Configure traffic filters -See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. +See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) for XML configuration. The following image shows the interface to configure traffic rules in a VPN Profile configuration policy using Microsoft Intune. From 3110c0ed5bb45058e4d2dab913f4c1de52b6f811 Mon Sep 17 00:00:00 2001 From: LauraKellerGitHub Date: Thu, 23 Apr 2020 15:28:13 -0700 Subject: [PATCH 07/24] removal of acronym sccm --- windows/deployment/update/fod-and-lang-packs.md | 8 ++++---- windows/deployment/update/how-windows-update-works.md | 6 +++--- .../update/waas-delivery-optimization-reference.md | 4 ++-- .../deployment/update/waas-delivery-optimization.md | 2 +- windows/deployment/update/waas-wu-settings.md | 2 +- .../update/windows-update-troubleshooting.md | 4 ++-- windows/deployment/windows-10-poc-sc-config-mgr.md | 2 +- ...-level-windows-diagnostic-events-and-fields-1703.md | 6 +++--- ...-level-windows-diagnostic-events-and-fields-1709.md | 10 +++++----- ...-level-windows-diagnostic-events-and-fields-1803.md | 8 ++++---- ...-level-windows-diagnostic-events-and-fields-1809.md | 8 ++++---- ...-level-windows-diagnostic-events-and-fields-1903.md | 4 ++-- .../resolved-issues-windows-10-1903.yml | 4 ++-- ...issues-windows-7-and-windows-server-2008-r2-sp1.yml | 2 +- .../threat-protection/mbsa-removal-and-guidance.md | 2 +- 15 files changed, 36 insertions(+), 36 deletions(-) diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 9dbe7740b3..d125672d4a 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,6 +1,6 @@ --- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM -description: Learn how to make FoD and language packs available when you're using WSUS/SCCM +title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager +description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager ms.prod: w10 ms.mktglfcycl: manage @@ -14,7 +14,7 @@ ms.reviewer: manager: laurawi ms.topic: article --- -# How to make Features on Demand and language packs available when you're using WSUS/SCCM +# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager > Applies to: Windows 10 @@ -26,6 +26,6 @@ In Windows 10 version 1709 and 1803, changing the **Specify settings for optiona In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. -For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. +For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index ac597ae387..7284fecba7 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -106,7 +106,7 @@ When users start scanning in Windows Update through the Settings panel, the foll |MU|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | |Offline scan service|Via IUpdateServiceManager::AddScanPackageService| #### Finds network faults @@ -117,9 +117,9 @@ Common update failure is caused due to network issues. To find the root of the i - The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index de0d1957dc..a5d605d778 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -110,7 +110,7 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | >[!NOTE] >Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (SCCM Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 9de80024c2..d37589c3e6 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -54,7 +54,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | -| SCCM Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |