deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20230224-edu-managed-installer

Browse Source
This commit is contained in:
Stacyrch140 2023-06-20 12:26:27 -04:00 committed by GitHub
commit e44666c9af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 272 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
education/windows/windows-11-se-faq.yml
View File

@ -33,6 +33,9 @@ sections:
- question: Can I load Windows 11 SE on any hardware?
answer: |
Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview).
- question: Can I PXE boot a Windows SE device?
answer: |
No, Secure Boot prevents Windows SE devices from booting via PXE. As a workaround, you can use a UEFI bootable USB device to boot the device.
- name: Applications and settings
questions:
- question: How can I install applications on Windows 11 SE?

46
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1090,7 +1090,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -1222,7 +1222,7 @@ First, it automatically becomes an always on profile.
Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
Third, no other Device Tunnel profile maybe be present on the same machine.
Third, no other Device Tunnel profile may be present on the same machine.
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
<!-- Device-{ProfileName}-DeviceTunnel-Description-End -->
@ -1587,7 +1587,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- Device-{ProfileName}-EdpModeId-Description-End -->
<!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -2768,8 +2768,10 @@ Required for native profiles. Type of tunneling protocol used.
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
> [!NOTE]
> For a Device Tunnel, use IKEv2 only.
> For a User Tunnel, any value is allowed.
> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-DFProperties-Begin -->
@ -2899,8 +2901,10 @@ List of inbox VPN protocols in priority order.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> [!NOTE]
> For a User Tunnel up to 4 VPN protocols are supported.
> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-DFProperties-Begin -->
@ -3032,7 +3036,7 @@ Default 168, max 500000.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-DFProperties-Begin -->
@ -3115,7 +3119,7 @@ Type of routing policy.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -5383,7 +5387,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -5823,7 +5827,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -6028,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- User-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- User-{ProfileName}-EdpModeId-Description-End -->
<!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7004,8 +7008,10 @@ Required for native profiles. Type of tunneling protocol used.
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
> [!NOTE]
> For a Device Tunnel, use IKEv2 only.
> For a User Tunnel, any value is allowed.
> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-DFProperties-Begin -->
@ -7135,8 +7141,10 @@ List of inbox VPN protocols in priority order.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> [!NOTE]
> For a User Tunnel up to 4 VPN protocols are supported.
> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-DFProperties-Begin -->
@ -7268,7 +7276,7 @@ Default 168, max 500000.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-DFProperties-Begin -->
@ -7351,7 +7359,7 @@ Type of routing policy.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->

6
windows/deployment/TOC.yml
View File

@ -217,8 +217,10 @@
- name: Software updates in the Microsoft 365 admin center
href: update/wufb-reports-admin-center.md
- name: Use Windows Update for Business reports data
href: update/wufb-reports-use.md
- name: Feedback, support, and troubleshooting
href: update/wufb-reports-use.md
- name: FAQ for Windows Update for Business reports
href: update/wufb-reports-faq.yml
- name: Feedback and support
href: update/wufb-reports-help.md
- name: Windows Update for Business reports schema reference
items:

BIN
windows/deployment/update/media/7760853-wufb-reports-time-generated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

182
windows/deployment/update/wufb-reports-faq.yml Normal file
View File

@ -0,0 +1,182 @@
### YamlMime:FAQ
metadata:
title: Windows Update for Business reports - Frequently Asked Questions (FAQ)
description: Answers to frequently asked questions about Windows Update for Business reports.
ms.prod: windows-client
ms.topic: faq
ms.date: 06/20/2023
manager: aaroncz
author: mestew
ms.author: mstewart
ms.technology: itpro-updates
title: Frequently Asked Questions about Windows Update for Business reports
summary: |
This article answers frequently asked questions about Windows Update for Business reports. <!--7760853-->
**General questions**:
- [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports)
- [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free)
- [What Windows versions are supported?](#what-windows-versions-are-supported)
**Setup questions**:
- [How do you set up Windows Update for Business reports?](#how-do-you-set-up-windows-update-for-business-reports)
- [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page)
- [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-)
**Questions about using Windows Update for Business reports**:
- [Why is the device name null(#)?](#why-is-the-device-name-null---)
- [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports)
- [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version)
- [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device)
- [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables)
- [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates)
- [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data)
- [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data)
**Delivery Optimization data**:
- [What time period does the Delivery Optimization data include?](#what-time-period-does-the-delivery-optimization-data-include)
- [Data is showing as "Unknown", what does that mean?](#data-is-showing-as--unknown---what-does-that-mean)
- [How are the 'Top 10' groups identified?](#how-are-the--top-10--groups-identified)
- [The GroupIDs don't look familiar, why are they different?](#the-groupids-don-t-look-familiar--why-are-they-different)
- [How can I see data for device in the office vs. out of the office?](#how-can-i-see-data-for-device-in-the-office-vs--out-of-the-office)
- [What does the data in UCDOStatus table represent?](#what-does-the-data-in-ucdostatus-table-represent)
- [What does the data in UCDOAggregatedStatus table represent?](#what-does-the-data-in-ucdoaggregatedstatus-table-represent)
- [How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?](#how-are-bytesfromcache-calculated-when-there-s-a-connected-cache-server-used-by-my-isp)
- [How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?](#how-do-the-results-from-the-delivery-optimization-powershell-cmdlets-compare-to-the-results-in-the-report)
- [The report represents the last 28 days of data, why do some queries include >= seven days?](#the-report-represents-the-last-28-days-of-data--why-do-some-queries-include----seven-days)
sections:
- name: General
questions:
- question: What is Windows Update for Business reports?
answer: |
Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.
- question: Is Windows Update for Business reports free?
answer: |
Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge.
Data retained beyond these no-charge periods are charged for each GB of data retained for a month, pro-rated daily. For more information, see **Log Data Retention** in [Azure Monitor pricing](https://azure.microsoft.com/en-us/pricing/details/monitor/#pricing).
- question: What Windows versions are supported?
answer: |
Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
- name: Setup questions
questions:
- question: How do you set up Windows Update for Business reports?
answer: |
After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports.
The two main steps for setting up Windows Update for Business reports are:
1. [Add Windows Update for Business reports](wufb-reports-enable.md#bkmk_add) to your Azure subscription. This step has the following phases:
1. [Select or create a new Log Analytics workspace](wufb-reports-enable.md#bkmk_workspace) for use with Windows Update for Business reports.
1. Enroll into Windows Update for Business reports using one of the following methods:
- Enroll through the [Azure Workbook](wufb-reports-enable.md#bkmk_enroll) (preferred method)
- Enroll from the [Microsoft 365 admin center](wufb-reports-enable.md#bkmk_admin-center).
1. Configure the clients to send data to Windows Update for Business reports. You can configure clients in the following three ways:
- Use a [script](wufb-reports-configuration-script.md)
- Use [Microsoft Intune](wufb-reports-configuration-intune.md)
- Configure [manually](wufb-reports-configuration-manual.md)
- question: Why is `Waiting for Windows Update for Business reports data` displayed on the page?
answer: |
Typically, the **Waiting for Windows Update for Business reports data** message is displayed because:
- You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data.
- The initial enrollment may not be complete yet.
- It's possible that devices aren't sharing data. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly.
If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it takes another 24-48 hours for the enrollment to complete. If the issue persists, [contact support](wufb-reports-help.md).
- question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?"
answer: |
A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly.
- name: Using Windows Update for Business reports
questions:
- question: Why is the device name null(#)?
answer: |
If you're seeing the device ID but not the device name, it's possible that the required policy for displaying the device name isn't set on the client. Ensure clients have the policy configured.
- CSP: [System/AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata)
- Group Policy: Allow device name to be sent in Windows diagnostic data
- Located in **Computer Configuration** > **Administrative Templates** > **Windows Components** >**Data Collection and Preview Builds**. It can take up to 21 days for all device names to show in up in reports assuming they're powered on and active.
- question: Why am I missing devices in reports?
answer: |
Here are some reasons why you may not be seeing devices in reports:
- **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly.
- **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days.
- **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component.
- question: Why are there multiple records for the same device?
answer: |
Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed.
- question: What is the difference between OS version and target version?
answer: |
The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running.
- question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?
answer: |
These tables can be used for the following information:
- **UCClient**: Represents an individual device's record. It contains data such as the device's name, currently installed build, and the OS Edition. Each device has one record in this table. Use this table to get the overall compliance status of your devices.
- To display information for a specific device by Azure AD device ID: </br>
`UCClient where AzureADDeviceId contains "01234567-89ab-cdef-0123-456789abcdef"`
- To display all device records for devices running any Windows 11 OS version:</br>
`UCClient | where OSVersion contains "Windows 11"`
- **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. There will typically be 3 update status records per device for the latest 3 security updates.
- To find device records for devices that determined the March 14, 2023 update was applicable:</br>
`UCClientUpdateStatus | where UpdateCategory =="WindowsQualityUpdate" and UpdateReleaseTime == "3/14/2023"`
- To display devices that are in the restart required substate:</br>
`UCClientUpdateStatus |where ClientSubstate =="RestartRequired"`
- **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update and one deployment (if relevant).
- To display information about an error code:
`UCUpdateAlert|where ErrorCode =="0X8024000b"`
- To display a count of devices with active alerts by subtype:
`UCUpdateAlert |where AlertStatus =="Active"|summarize Devices=count() by AlertSubtype`
- question: What is the difference between quality and security updates?
answer: |
Windows quality updates are monthly updates that are [released on the second or fourth Tuesday of the month](release-cycle.md). The cumulative updates released on the second Tuesday of the month can contain both security updates and nonsecurity updates. Cumulative updates released on the fourth Tuesday of the month are optional nonsecurity preview releases. Use the fields within the [UCClient table](wufb-reports-schema-ucclient.md) for additional information, such as:
- **OSSecurityUpdateStatus**: Indicates the status of the monthly update that's released on the second Tuesday
- **OSQualityUpdateStatus**: Indicates the status of the monthly update that's released on the fourth Tuesday
- question: How do I confirm that devices are sending data?
answer: |
Once enrollment is done and devices are properly configured to share data, wait for 48 hours for data to start showing up in reports. It can take up to 14 days for all of your devices to show up in reports in some cases where devices aren't active much. You can check to see if the Log Analytics tables are being populated in your workspace. The data is ingested by the service daily to generate reports. If you notice a day is missing, it's possible that the reports service missed an ingestion. To confirm devices are sending data, [query](wufb-reports-use.md#display-windows-update-for-business-reports-data) the [UCClient table](wufb-reports-schema-ucclient.md). The following query shows total enrolled device count per time-generated:
`UCClient | summarize count() by TimeGenerated`
:::image type="content" source="media/7760853-wufb-reports-time-generated.png" alt-text="Screenshot of using a Kusto (KQL) query for time generated on Windows Update for Business reports data in Log Analytics." lightbox="media/7760853-wufb-reports-time-generated.png":::
- question: Why isn't the workbook displaying data even though my UCClient table has data?
answer: |
If the [UCClient table](wufb-reports-schema-ucclient.md) has data, but the [workbook](wufb-reports-workbook.md) isn't displaying data, ensure that the user has correct permissions to read the data. The [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role is needed to view the data in the workbooks. The [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role is needed to do any edits to the queries and workbooks.
- name: Delivery Optimization data
questions:
- question: What time period does the Delivery Optimization data include?
answer: |
Data is aggregated for the last 28 days for active devices.
- question: Data is showing as 'Unknown', what does that mean?
answer: |
You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty.
- question: How are the 'Top 10' groups identified?
answer: |
The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP).
- question: The GroupIDs don't look familiar, why are they different?
answer: |
The GroupID values are encoded for data protection requirements. For more information, see [Mapping GroupIDs](wufb-reports-do.md#mapping-groupid).
- question: How can I see data for device in the office vs. out of the office?
answer: |
Today, we don't have a distinction for data that was downloaded by location.
- question: What does the data in UCDOStatus table represent?
answer: |
A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType).
- question: What does the data in UCDOAggregatedStatus table represent?
answer: |
A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType).
- question: How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?
answer: |
If there's a Connected Cache server at the ISP level, BytesFromCache filters out any bytes coming the ISP's Connected Cache.
- question: How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?
answer: |
[Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization events.
- question: The report represents the last 28 days of data, why do some queries include >= seven days?
answer: |
The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.

17
windows/deployment/update/wufb-reports-help.md
View File

@ -21,7 +21,6 @@ There are several resources that you can use to find help with Windows Update fo
- Open a [Microsoft support case](#open-a-microsoft-support-case)
- [Documentation feedback](#documentation-feedback)
- [Troubleshooting tips](#troubleshooting-tips) for Windows Update for Business reports
- Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Windows Update for Business reports
- Use Microsoft Q&A to [ask product questions](/answers/products/)
@ -82,19 +81,3 @@ If you create an issue for something not related to documentation, Microsoft wil
- [Support requests](#open-a-microsoft-support-case) for Windows Update for Business reports
To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
## Troubleshooting tips
Use the following troubleshooting tips to resolve the most common problems when using Windows Update for Business reports:
### Ensuring devices are configured correctly to send data
The first step in troubleshooting Windows Update for Business reports is ensuring that devices are configured. Review [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) for the settings. We recommend using the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) for troubleshooting and configuring devices.
### Devices have been correctly configured but aren't showing up in Windows Update for Business reports
It takes some time for data to appear in Windows Update for Business reports for the first time, or if you moved to a new Log Analytics workspace. To learn more about data latencies for Windows Update for Business reports, review [Windows Update for Business reports data latency](wufb-reports-use.md#data-latency).
### Devices are appearing, but without a device name
Device Name is an opt-in via policy. Review the required policies for enabling device name in the [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) article.

20
windows/deployment/update/wufb-reports-workbook.md
View File

@ -48,7 +48,7 @@ Each of these tiles contains an option to **View details**. When **View details*
| Tile name | Description | View details description |
|---|---|------|
| **Enrolled devices** | Total number of devices that are enrolled into Windows Update for Business reports | Displays multiple charts about the operating systems (OS) for enrolled devices: </br> **OS Version** </br> **OS Edition** </br> **OS Servicing Channel** </br> **OS Architecture**|
|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each. </br> </br> Select the count of **Devices** to display a table of the devices. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). </br> </br> Select an **AlertSubtype** to display a list containing: </br> - Each **Error Code** in the alert subtype </br>- A **Description** of the error code </br> - A **Recommendation** to help you remediate the error code </br> - A count of **Devices** with the specific error code |
|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each. </br> </br> Select the count of **Devices** to display a table of the devices. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). </br> </br> Select an **AlertSubtype** to display a list containing: </br> - Each **Error Code** in the alert subtype </br>- A **Description** of the error code </br> - A **Recommendation** to help you remediate the error code </br> - A count of **Devices** with the specific error code |
| **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items: </br> - **Windows 11 Readiness Status** chart </br> - **Readiness Reason(s) Breakdown** chart that displays Windows 11 requirements that aren't met. </br> - A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. |
### Summary tab charts
@ -70,7 +70,7 @@ The **Quality updates** tab displays generalized data at the top by using tiles.
- **Missing multiple security updates**: Count of devices that are missing two or more security updates.
- **Active alerts**: Count of active update and device alerts for quality updates.
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end users are impacted.
@ -88,8 +88,8 @@ The **Update deployment status** table displays the quality updates for each ope
| Column name | Description | Drill-in description |
|---|---|---|
|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code.
| **KB Number** | KB number for the update | Selecting the KB number opens the support information webpage for the update.|
| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
| **KB Number** | KB number for the update | Selecting the KB number will open the support information webpage for the update.|
| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
### <a name="bkmk_device-group-quality"></a> Device status group for quality updates
@ -98,7 +98,7 @@ The **Device status** group for quality updates contains the following items:
- **OS build number**: Chart containing a count of devices by OS build that are getting security updates.
- **Device alerts**: Chart containing the count of active device errors and warnings for quality updates.
- **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
- This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
## Feature updates tab
@ -109,7 +109,7 @@ The **Feature updates** tab displays generalized data at the top by using tiles.
- **Nearing EOS** Count of devices that are within 18 months of their end of service date.
- **Active alerts**: Count of active update and device alerts for feature updates.
Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
### <a name="bkmk_update-group-feature"></a> Update status group for feature updates
@ -125,7 +125,7 @@ The **Update status** group for feature updates contains the following items:
|---|---|---|
| **Total progress** | Percentage of devices that installed the targeted operating system version feature update within the last 30 days. | A bar graph is included in this column. Use the **Total devices** drill-in for additional information. |
|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. |
| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
### <a name="bkmk_device-group-feature"></a> Device status group for feature updates
@ -134,7 +134,7 @@ The **Device status** group for feature updates contains the following items:
- **Windows 11 readiness status**: Chart containing how many devices that have a status of capable, not capable, or unknown for Windows 11 readiness.
- **Device alerts**: Count of active device alerts for feature updates in each alert classification.
- **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
- This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
## Driver updates tab
@ -145,7 +145,7 @@ The **Driver update** tab provides information on driver and firmware update dep
**Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md)
**Active alerts**: Count of active alerts for driver deployments
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
:::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png":::
@ -167,7 +167,7 @@ The **Device status** group for driver updates contains the following items:
- **Device alerts**: Count of active device alerts for driver updates in each alert classification.
- **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
- This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
## <a name="bkmk_do"></a> Delivery Optimization

18
windows/security/breadcrumb/toc.yml
View File

@ -1,18 +0,0 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows/
topicHref: /windows/resources/
items:
- name: Security
tocHref: /windows-server/security/credentials-protection-and-management/
topicHref: /windows/security/
- name: Security
tocHref: /windows-server/identity/laps/
topicHref: /windows/security/
- name: Security
tocHref: /azure/active-directory/authentication/
topicHref: /windows/security/

4
windows/security/context/context.yml
View File

@ -1,4 +0,0 @@
### YamlMime: ContextObject
brand: windows
breadcrumb_path: ../breadcrumb/toc.yml
toc_rel: ../toc.yml

11
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -32,12 +32,13 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which
Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\
With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization.
When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object:
- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
- Is only used by Azure AD to generate TGTs for the Active Directory domain.
- Is only used by Azure AD to generate TGTs for the Active Directory domain
> [!NOTE]
> The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of the built-in security group *Denied RODC Password Replication Group* won't be able to use cloud Kerberos trust.
> Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust.
:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
@ -67,9 +68,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud
- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
> [!NOTE]
> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
> The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
>
> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
> Due to possible attack vectors from Azure AD to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
## Next steps

6
windows/security/operating-system-security/network-security/toc.yml
View File

@ -1,8 +1,10 @@
items:
- name: Transport layer security (TLS) 🔗
href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
- name: WiFi Security
- name: Wi-Fi Security
href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
- name: Extensible Authentication Protocol (EAP) for network access
href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access
- name: Windows Firewall 🔗
href: windows-firewall/windows-firewall-with-advanced-security.md
- name: Virtual Private Network (VPN)
@ -14,4 +16,4 @@ items:
- name: Server Message Block (SMB) file service 🔗
href: /windows-server/storage/file-server/file-server-smb-overview
- name: Server Message Block Direct (SMB Direct) 🔗
href: /windows-server/storage/file-server/smb-direct
href: /windows-server/storage/file-server/smb-direct

11
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 09/23/2021
ms.date: 06/20/2023
ms.topic: conceptual
---
@ -9,7 +9,7 @@ ms.topic: conceptual
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
Windows supports a number of EAP authentication methods.
- EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2):
- User name and password authentication
@ -43,7 +43,7 @@ Windows supports a number of EAP authentication methods.
- Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
- [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
- [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it's possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
- Tunneled Transport Layer Security (TTLS)
- Inner method
@ -71,14 +71,14 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
## Configure authentication
See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
:::image type="content" source="images/vpn-eap-xml.png" alt-text="EAP XML configuration in Intune profile.":::
:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile.":::
## Related topics
@ -90,3 +90,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)
- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)

30
windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
View File

@ -143,6 +143,36 @@ In general, to maintain maximum security, admins should only push firewall excep
> [!NOTE]
> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
## Understand Group Policy Processing
The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
- Reads all firewall rules and settings
- Applies any new filters
- Removes the old filters
> [!NOTE]
> The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected.
Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default.
If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during **every** background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like:
- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies
- Local Firewall settings are applied instead of group policy settings
- IPsec connections cannot establish
The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*.
> [!IMPORTANT]
> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
>
> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
## Know how to use "shields up" mode for active attacks
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.