deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs2

Browse Source 
# Conflicts:
#	windows/manage/TOC.md
#	windows/manage/index.md
This commit is contained in:
jdeckerMS 2017-02-21 10:22:39 -08:00
commit d770bdc313
21 changed files with 87 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/change-history-edu.md
View File

@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Change history for Windows 10 for Education

2
education/windows/get-minecraft-for-education.md
View File

@ -5,7 +5,7 @@ keywords: school
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# Get Minecraft: Education Edition

2
education/windows/school-get-minecraft.md
View File

@ -5,7 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# For IT administrators - get Minecraft: Education Edition

2
education/windows/set-up-school-pcs-technical.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Technical reference for the Set up School PCs app

2
education/windows/set-up-students-pcs-to-join-domain.md
View File

@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: CelesteDG
---
# Set up student PCs to join domain

2
education/windows/set-up-students-pcs-with-apps.md
View File

@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: CelesteDG
---
# Provision student PCs with apps

2
education/windows/set-up-windows-10.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Provisioning options for Windows 10

2
education/windows/take-a-test-app-technical.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Take a Test app technical reference

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Set up Take a Test on multiple PCs

2
education/windows/take-a-test-single-pc.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Set up Take a Test on a single PC

2
education/windows/take-tests-in-windows-10.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Take tests in Windows 10

2
education/windows/teacher-get-minecraft.md
View File

@ -5,7 +5,7 @@ keywords: ["school"]
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
author: jdeckerMS
author: trudyha
---
# For teachers - get Minecraft: Education Edition

2
education/windows/use-set-up-school-pcs-app.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: jdeckerMS
author: CelesteDG
---
# Use the Set up School PCs app

6
windows/keep-secure/bitlocker-countermeasures.md
View File

@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI
Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps dont start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
ELAM classifies drivers as follows:

4
windows/keep-secure/credential-guard.md
View File

@ -178,11 +178,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
``` syntax
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
3. Add the Isolated User Mode feature by running the following command:
``` syntax
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```

10
windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see:
Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see:
- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies."
- [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard."
@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure
This topic includes the following sections:
- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy.
- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
@ -31,7 +31,7 @@ This topic includes the following sections:
A common system imaging practice in todays IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
> **Note**&nbsp;&nbsp;Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **&lt;EFI System Partition&gt;\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies.
Optionally, code integrity policies can align with your software catalog as well as any IT departmentapproved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computers role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au
To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy:
- To enable UMCI, add rule option 0 to an existing policy by running the following command:
- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0`
Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option.
- To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command:
` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`

8
windows/keep-secure/deploy-code-integrity-policies-steps.md
View File

@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e
> **Notes**
> - By specifying the *UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:<br>**Set-RuleOption -FilePath $InitialCIPolicy -Option 0**
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
> - You can add the *Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.”
> - To specify that the code integrity policy scan only a specific drive, include the *ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned.
> - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.

3
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -22,6 +22,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also
| New or changed topic | Description |
| --- | --- |
| [Windows Libraries](windows-libraries.md) | New |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New |
| [Get started with Update Compliance](update-compliance-get-started.md) | New |
| [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New |
@ -189,4 +190,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 
 

2
windows/manage/index.md
View File

@ -21,6 +21,7 @@ Learn about managing Windows 10.
## In this section
| Topic | Description |
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. |
@ -40,6 +41,7 @@ Learn about managing Windows 10.
 
## Related topics
[Windows 10 and Windows 10 Mobile](../index.md)

193
windows/update/waas-delivery-optimization.md
View File

@ -32,14 +32,48 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization
- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
Several Delivery Optimization features are configurable.
Several Delivery Optimization features are configurable:
<span id="download-mode"/>
| Group Policy setting | MDM setting |
| --- | --- |
| [Download mode](#download-mode) | DODownloadMode |
| [Group ID](#group-id) | DOGroupID |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize |
| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
### Download mode (DODownloadMode)
When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario:
- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
There are additional options available to robustly control the impact Delivery Optimization has on your network:
- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings.
### Download mode
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
@ -55,176 +89,51 @@ Download mode dictates which download sources clients are allowed to use when do
>[!NOTE]
>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
### Group ID (DOGroupID)
### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Max Cache Age (DOMaxCacheAge)
### Max Cache Age
In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
### Max Cache Size (DOMaxCacheSize)
### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
### Absolute Max Cache Size (DOAbsoluteMaxCacheSize)
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
### Maximum Download Bandwidth (DOMaxDownloadBandwidth)
### Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
### Max Upload Bandwidth (DOMaxUploadBandwidth)
### Max Upload Bandwidth
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Minimum Background QoS (DOMinBackgroundQoS)
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
### Modify Cache Drive (DOModifyCacheDrive)
### Modify Cache Drive
This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
### Monthly Upload Data Cap (DOMonthlyUploadDataCap)
### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
## Delivery Optimization configuration examples
Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization.
### Use Delivery Optimzation with group download mode
Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination.
**To use Group Policy to configure Delivery Optimization for group download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization Group**.
5. Right-click the **Delivery Optimization Group** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **Group** download mode.
9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.)
10. Click **OK**, and then close the Group Policy Management Editor.
11. In GPMC, select the **Delivery Optimization Group** policy.
12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group.
**To use Intune to configure Delivery Optimization for group download mode**
1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**.
7. In the **Value** box, type **2**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
8. Click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB1** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**.
### Use WSUS and BranchCache with Windows 10, version 1511
In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
**To use Group Policy to configure HTTP only download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization HTTP Only**.
5. Right-click the **Delivery Optimization HTTP Only** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **HTTP only** download mode.
9. Click **OK**, and then close the Group Policy Management Editor.
10. In GPMC, select the **Delivery Optimization HTTP Only** policy.
11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**.
![example of UI](images/waas-do-fig4.png)
>[!NOTE]
>This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
### Use WSUS and BranchCache with Windows 10, version 1607
In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available.
**To use Group Policy to enable the Bypass download mode**
1. Open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization Bypass**.
5. Right-click the **Delivery Optimization Bypass** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization.
7. Right-click the **Download Mode** setting, and then click **Edit**.
8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.)
9. Click **OK**, and then close the Group Policy Management Editor.
10. In GPMC, select the **Delivery Optimization Bypass** policy.
11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**.
>[!NOTE]
>This example uses the Domain Computers group, but you can deploy this policy setting to any computer group.
### Set “preferred” cache devices for Delivery Optimization
<span id="set-preferred-cache-devices"/>
## Set “preferred” cache devices for Delivery Optimization
In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devicess configuration (Delivery Optimization only caches content relative to the client downloading the content).

4
windows/update/waas-optimize-windows-10-updates.md
View File

@ -40,9 +40,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
>[!NOTE]
>Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases.
>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
>
>In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx).
>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
## Express update delivery