From ec4429308c2e11289df39502b6b744b1ac2d7061 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Fri, 31 Mar 2023 16:06:51 -0700 Subject: [PATCH 01/41] wufbr-faq-7760853 --- windows/deployment/TOC.yml | 6 +- .../deployment/update/wufb-reports-faq.yml | 74 +++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 windows/deployment/update/wufb-reports-faq.yml diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 37eb5a69cb..2cb91069c7 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -215,8 +215,10 @@ - name: Software updates in the Microsoft 365 admin center href: update/wufb-reports-admin-center.md - name: Use Windows Update for Business reports data - href: update/wufb-reports-use.md - - name: Feedback, support, and troubleshooting + href: update/wufb-reports-use.md + - name: FAQ for Windows Update for Business reports + href: update/wufb-reports-faq.yml + - name: Feedback and support href: update/wufb-reports-help.md - name: Windows Update for Business reports schema reference items: diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml new file mode 100644 index 0000000000..645933f230 --- /dev/null +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ +metadata: + title: Windows Update for Business reports - Frequently Asked Questions (FAQ) + description: Answers to frequently asked questions about Windows Update for Business reports. + ms.prod: windows-client + ms.topic: faq + ms.date: 03/31/2023 + manager: aaroncz + author: mestew + ms.author: mstewart + ms.technology: itpro-updates +title: Frequently Asked Questions about Windows Windows Update for Business reports +summary: This article answers frequently asked questions about Windows Update for Business reports. +sections: + - name: General + questions: + - question: What is Windows Update for Business reports? + answer: | + Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. + - question: Is Windows Update for Business reports free? + answer: | + Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge. + Data retained beyond these no-charge periods will be charged for each GB of data retained for a month, pro-rated daily. For more information, see **Log Data Retention** in [Azure Monitor pricing](https://azure.microsoft.com/en-us/pricing/details/monitor/#pricing). + - question: What Windows versions are supported? + answer: | + Windows Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions. + - question: How do you setup Windows Update for Business reports? + answer: | + After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. + The two main steps for setting up Windows Update for Business reports are: + + 1. [Add Windows Update for Business reports](wufb-reports-enable.md#bkmk_add) to your Azure subscription. This step has the following phases: + 1. [Select or create a new Log Analytics workspace](wufb-reports-enable.md#bkmk_workspace) for use with Windows Update for Business reports. + 1. Enroll into Windows Update for Business reports using one of the following methods: + - Enroll through the [Azure Workbook](wufb-reports-enable.md#bkmk_enroll) (preferred method) + - Enroll from the [Microsoft 365 admin center](wufb-reports-enable.md#bkmk_admin-center). + 1. Configure the clients to send data to Windows Update for Business reports. You can configure clients in the following three ways: + - Use a [script](wufb-reports-configuration-script.md) + - Use [Microsoft Intune](wufb-reports-configuration-intune.md) + - Configure [manually](wufb-reports-configuration-manual.md) + - name: Setup issues + questions: + - question: Why is **Waiting for Windows Update for Business reports data** displayed on the page? + answer: | + Typically, the **Waiting for Windows Update for Business reports data** message is displayed because: + - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. + - The initial enrollment may not be complete yet. + - It's possible that devices aren't sharing telemetry. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + - question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?" + answer: | + A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly. + - question: "Why am I getting the error `400 Bad Request: Identifier must be GUID`?" + answer: | + The `400 Bad Request: Identifier must be GUID` error message indicates that you've provided an invalid or incorrect value for the resource connection ID when making a request to the Log Analytics API. Ensure that the resource group within your Azure subscription is a valid GUID (Globally Unique Identifier). + - name: Using Windows Update for Business reports + questions: + - question: Why is the device name null(#)? + answer: | + If you're seeing the device ID but not the device name, it's possible that the required policy for displaying the device name isn't set on the client. Ensure clients have the policy configured. + - CSP: [System/AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata) + - Group Policy: Allow device name to be sent in Windows diagnostic data + - Located in **Computer Configuration** > **Administrative Templates** > **Windows Components** >**Data Collection and Preview Builds** + - question: Why am I missing devices in reports? + answer: | + Here are some reasons why you may not be seeing devices in reports: + - The device isn't enrolled with Azure Active Directory: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - The device isn't sending telemetry: It is possible devices aren't sharing telemetry due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + - The device isn't active enough: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. + - The workbook has limited the results: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the 3 dots beside each component. + - name: Template + questions: + - question: What is X? + answer: | + X is awesome! From 74b164e53d0f0c8102c91d09525419d3623e31d2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 08:39:20 -0700 Subject: [PATCH 02/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 645933f230..75bcef6706 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -10,7 +10,7 @@ metadata: ms.author: mstewart ms.technology: itpro-updates title: Frequently Asked Questions about Windows Windows Update for Business reports -summary: This article answers frequently asked questions about Windows Update for Business reports. +summary: This article answers frequently asked questions about Windows Update for Business reports. sections: - name: General questions: @@ -67,8 +67,11 @@ sections: - The device isn't sending telemetry: It is possible devices aren't sharing telemetry due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - The device isn't active enough: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - The workbook has limited the results: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the 3 dots beside each component. + - question: What is the difference between OS version and target version? + answer: | + The word *target* in the data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. - name: Template questions: - question: What is X? answer: | - X is awesome! + X is awesome! \ No newline at end of file From 58016c382f7d9dfa5b43a72bcc730fdb96ecaa7a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 10:13:42 -0700 Subject: [PATCH 03/41] faq-7760853 --- .../7760853-wufb-reports-time-generated.png | Bin 0 -> 27705 bytes .../deployment/update/wufb-reports-faq.yml | 37 +++++++++++++----- .../deployment/update/wufb-reports-help.md | 16 -------- 3 files changed, 28 insertions(+), 25 deletions(-) create mode 100644 windows/deployment/update/media/7760853-wufb-reports-time-generated.png diff --git a/windows/deployment/update/media/7760853-wufb-reports-time-generated.png b/windows/deployment/update/media/7760853-wufb-reports-time-generated.png new file mode 100644 index 0000000000000000000000000000000000000000..1a51e83b84d632325271fcde43aca0832ffc9aca GIT binary patch literal 27705 zcmeFZXHZko+BS>@P!JIi5drDaiy$I32#7%FJya0_B2DQnL{yp}J#>Od?+|*8f=cfY zIw&0i1QJ3Egg2h^oSE-D&zW!DAK#yE=E+PZvv>C1Ywxx1b(ib9){4~Ac}_!hkBW?p zj7CFU)qsrbvOO8urLk)iq&<<3uWplmE_oU}S0<|%WZfifTy=b^{gjNXI+ps(mYlSG z{f#=vlZ=cl?C6tcN^#a_E@QC_UruoK{X*^Z+_R|VRefkk4jxQd9rh2y| zY!sxd5(o46c*JuYmvBdugI?aIiyDC9EoLtHPq*mk=;EC#ra+mE1nvK1N=QzA zAmxl2mmXU@-}ODkBl<*Z);MHavY|v!_(^u~sRlCmXx?|U%2vf`uCZE*l8!Evimm&x z>kN-}`lISkRAMjtP0(yI`&#XT0j5u$$FRoNIZtk(s*^=5G+~0qWdf?}m~SCh5Do+P znpP5kdC#Km7!(`uI&1#PL}RWu-x^<>kf95@7Rn#J-zBZe5uKlxw~<^mm?b9}tv_t# zzY6o{V)NZ_zA<^PqKSIxKx3LPCKk%7(<^2oCHTq3f45Ends2zwC;!eY(~pi9<*1Ki z%>7y$*LJiJDEm>$b!J?UQ&5rRu}hpv_)U$j7`F0+8o7o=24r{Hy07{Y7`(Es;F$Mk z0=#12ta%@hoxn(`3Din6#Exm>SISd?ydCMPp>HkWfj%i(5k)-gik3jP<|)Af+#99) z_X90wbfS}ejliCgYFIYd`!n>2$Jcl-H&smqB*6#p(Y<*D}Y|y`+lC=oL^vv?CW!YhKEqNX`SaF`uPQn-)h=Nz5 zZucgDEfX_ZyYy*dA-_k^J(-ih-HaBM<3Daxl!+IfO2JRibpdLMgq1*0;3LeCL5LzN z-+*bhnjz_Fvg1G`mwA~zm9kS*BL1bM6vN)yR8<>&r0KKQY+ zzH#Z3(1EAIx`-Y8pt-oPf2iu0fIQDhmn{WJr8e7ULLx1+5WQZ2zp44fxnCd3 zji*RaQ?D!VUPTV*Y94_WnYi*Cdf!`f|CIDkbouf2%;u{qIREw^H%5CTYdp7O;4AbG z@_@sK*Cf{G`Lr{lVJoce-BJeZExK#a48yZ<8N2p_-F%{%J{mb(g=t%NOQEjY8jnuI z=9-&+FBKBO_hltLU&ACwJ-ZHW(1qbyF4oVjYP{l9Q$*n#x9`#7*E16$D;?BVmQ=7~ z-gP{#mMcx(c0Pi9(z`v$bf=Iczc7=rpXshar^DzKXqL--*5Qe$c+k*Yx9CuqOoOAF zK?AMAx`x9683>D<%!k%WNeZM%APZ#`?GnrPJsVb6!}DfUww_ol`-BVvE1PoIeD=No zD!#u-Y?3sr_#7Fpj(ed?xWu&93^)!I&OD^`-^|7QsJ7bgzpim{RD)dsEDE+K=iA)u zKK32zj$Cug% z#c}8=5}JeFPM!QdKkdAiCb?N$b*l5rxndwme>tJ^Rfe%TvT`!?dbDU!kYOHAT~9pn zj#QErSq@#da3E5F!&j>(j?jLq2?Ou&v9lKJ)UGN?5uvN0^7U-0_Lk8YvC0Zx!I{G> z0}pR3(i$fz-I3YzcGon8_S|eT$y=5*q5h7(GG1vQs6*LMo}z`nvdx2SPs4uirG<1_ z>X@RP_&jWJXlAh6y0JSx|8@(~YbSlutQa`3pG@xcb6~XPxuHy+@+9kpUYPjd zE>2>7tZ(J8-Ivj#NJE#XFX3MCAS>p6-1;~>qMBhe@07vG08{NMagM$sv3;WA(UZ*u zHqQl8?Q;Z_{qPFXRm)-g`A~d2j(lrsb9v0OLW*D)0S5}F(7kzF4=CP+&@_xiTAYghP)gdJZZ~6nrq5o>~7W3?49i5 zUFC~4sxZ-MCgz-hn#Ic<+bMQALyd%G<$oD$j^2kVnHlF zv|9;$JyQ=F)gH*MTrG8BEH;?9vDniqZPLg4Rwc{AbsW2RjLsVEDD%y#vljX01Cf0; zQ}XsBl?wZEDzv+>5bIu9?pvyK&AyQ$%7!sbvA+GR^2;B%U?_4xjW%xbv9>8xPfGv0 zk`?#X8irBeJjKk4`Z)L5{52-~aTpOI*Fz{S5E3;sFnIQIMon{TDubtK=fU)g0d~U3 z6VPvqZ>Ot%Gqo};yC)@x?yG6S2K(d51(R$(Dyk79} zb2et56Q{HTP5q8k)BYb9JsH)-9<**8?Qd4=c7C2L`BQcA>4&NDbO+%jF;9ikWq%b! zc@`=Ddf?Jp7#zUY8}_-f?_C7>DB*3aeB0Z^qaZC2-rTPI+jF7bPBf95IQ4cthmNU` zu=CZ*dADn?r{+szRy!*ldaHsu>84j?1c26kUYUyfIGZwvVn)DdrF&lM@sG>v6)Ijr zr*M627%HhNy$JAleBfRUdb4RBzCp#BVy}(U(6^l;hKG8Z+LoB_4w!I=<6ih56^rks zQVmMSg1B%2KCtP{O$mav6eg8ND%SO>3Dbr=-qX`F@geq)G;T#PFonOMR0%O}yLu>2 z|B5g;i#P2Fdw3IRfxR)=`#z($dsRv_rAa|F1rgemyuc14u%^jAaO5KN8h-HY`AVLa zkoZXFK3*$6g;G^x)8Mu3B2V|_Aw%qRfcHG|q-y*AQDff9iu$LS3w@cy)f$?GMcuv` zsBqhT-DFm@QV?!5<`%U*thdLmEtj`u2sZixb14!cs?uD*n&Rc`5i(9Yu~*L218Ivo z1gGSXUHs7AH!BX7(HZ5tDEEt>J}P2qh6J^41{+@5fZInxt{`7b>_vC0dxdN{5j|35 zs@s~Y!M}PfigLr8*i3uX11En6a`QB0`I?8I1I_KNJ0=6D+>&vDB}Fdg#DxghO5h-$ zAGwEK4D54!mkrTOQPW@JbW)FVvj>DNPETn1&5rdlc*gvtu#JP(NJfB04ZsjukgUzBtbP$xxx*~PSP z&_mbCTiv*5k9b^SmyN9(Kl5ZN-uEEx&XXL|(?{Vk+l3dJV{fs0D#Exrv96 z@wsjnTwuy=J-A+S(t`}5f{L}^p*Th1YRXuC-p?IxFgl`HV!Qbhwk4`eBVQAUydN*o zcFndwg0)KZv6}&)lP))J)2=CJd*(aC1Uuu#ozF==5Aoo2QS|Srn0;Y%s=s&Ar7K)* zAx`TzPaI}lHr>p-)ym^C``HjUm* z`8`z`Z6Q8sYtYBpbyo)PYy0=|iqPi^9Pi0;mC=Tc{>w*f%IIVJrjp&dgr>g0JPCjS z05@5beMCEv%4cX`Xv|}Rq{hNm?xt0Zd|YwNU&tg+DAD-}F}~*C;FFlAS(gRHE`M z&yO)gyS3?{PEhBK!e05naqf)8S41R1qV6Hx)bGuHiT$9p)V)pOv^J2up(ZGa3L zG|uzd_N{zWV)0ba$n8Pa_<-6?c39%;-s;3-(wN>G({EDMMk{PtHx+m=HeHUDO0M8H z{lZu#ocw1+?&N4zFsUBR1+B1UT+QiFTH-984vao42j>|T&uS7;a;S8QOZ9zY>gGR- zxX-64Kp&>tZA3~Niv8{G$+%U@@Hu{Prk(svo>Px$O3Fn%;GTWV3QN0C6wbD&$z<>r z(YnjZDZmc?#OG8t*UDkAFpNAl{nL!bOwSWXU%W}8#gew<2c{lX9OWn8GA{ZhMLz5bdG6m;`3KU|yw=4>1f zKUJY4s(|pGUh#893v${R%TleJ3WnS)+4^{~6LMZgy#~(ObQIG^lf2pbty3dt(9XfO z-lejN0}MlPhxq06=IYYLfSs>co7@H3TO2&JDKMEWU)Qj6R)=1lv;BuNwQvN(B+TXp_iLqCfgOH$= z;jU6JaNf)bAC8-~zKZw~)X`A&+9;u`qD8&L#&rJlCPLFg^y04J+FX}?`%YM56V4fu z*!RPVZ`9IR@a${Gbh=0Z=GJuDX)2H7&G<_Vf7Wu>qR!0e?<|ElW8|NO>OJ<@zIHNO z#3>j}uC@8pt60_KZS!YKL1~n%$dJeaUv?=(;B1$tud&O8kX>zfF=C_#3HqYEg))9l zI~#v=cU`{$ZiyqddP04ua>_1VG0Oy%os~b||5!~eq;^WXAdq{`zK3~Y9BMMlPA*uh zW>rqS^;z$`AK~V-wJEtc{<+7>bHOjXyubn~XYcdTTOCsha;LqrYzYkDS62$Zd6oaj zo#-ojPLn8`B&b{^%Z}#_E?#VQ7ZWMa7q}}cRl<*yLt{08=PV`NpV!%bjX%s@v{8B~QIpw=&^M|In#HSReDeAJLwzMI${hvm5xEeN}oI z@!{e))TrFN?xhQ-P^nyAA7$t1^uPju+NgW_Jzs*41u=uc5i~ zfPG0TzrJqOP8?R%f4sLOl>apMRk4wB``3pa->yb3=DUr)VjCsLugn}xJW(XeSr_NZ zw`#f8V_6iOF#CmFiM+PCSR&ZApw`(!+9qPAI5^ufmw0Q0kBj@6L47frW9Txsao9ou z@mRfwg<>e>RHdcjI>+nV^QE&`kwrrIP*jvhr}|ViK*eY5?#bSHwTG@U+vb> z?1S&;WXd(y6v-*1GZ(lkQG4R-^};T@I@&ZlA=MzC$DzYQg2y@fk^7dF&SV}6u~IxI zs`W-8F8|DTUB+8C`F8wP_(lt+Ju&w=HDO$LFGo(F{+BF3-iGWv1yL!boYgnpk#9Z^ zIaz3(!-M-1{f~uMhOJH)uAPU3TxP`Q5ECg^huc-!|Ae0}ZZ1)Q1wU=uh`3kw(x?jz z#l%UE#`Fjjb1({(ZYBc-jr7px%8$3@c?t*3Lj7IhS9t2?*0l5UjT3Y?9Y$-LWPRL; zh7Qnlf$&ixFSp~GqOb4Xi{Cr+jH|>TN1+q931NRb74Asa*jG$`fkSIk)ppqPqeZlH z)p1h%U>mx3_{t)1JTn)uIeTR^@Z4#-R3mhI6@0?`?LvNu$j)3TOAAR=0Ve zS!247ujhxxHC%zvFT%Hrgb=*T$#)_rnS0h0^_ab${Y7A7MOlQ{t0F#UwedK)@iite zZ9mR#;T&p3VY#DV%@3vN>NPjp_4{I1)+?=JAk98Iyvaz{WvlVo+3JH0qWagEO&aK?`Mm}=_{4{ z*mrV%oqn|KZgExK#n}a<3OCFvYCJA-KCd6mA8*oIKbZK8o%!+#qjG+n_4QYq6&?uw zU01+cRdIlam3}`}l+-Gjy)gFoesTLkq;KhC#c0PjfXxTJFsNx&lICdWhw#N^`{w`) zG@Wv61^(b4wOv-N5(LJ68vsS`cl}@$MFvds;qQ82p-Ol)0d<(cJQCA&N+ zcajfm4Tc}AI1vteTKzjyhj)B=!9g+eyseKDj)#Ez*;a*8pOk#sVAp)=Uebn z&s9T=;+^a&1U;C<&%>VK6HTpIIP}+V{dyN7tZGzZr1A3Q%L5e@rkzmX*2Z5wJpW2T zEGPWAB)FT!5gl;$*|4ijmjK5OMN?om`bS2wtoJ<@8r-v6af5QF_d4ssoMT9M{fAvd z?E({Mx@&B8-6m??MuFBh#mZ7sN8a1*LQ57d00aUPv8#PR63&lDN=N8+SoutYQLL(t zDOp(}gd@ykXUG-G1C=uxmdC;el6I=9UVk!8IWn5JzR0Hqz02vR?U?!}qY!!_EqI#ZpvDTxQ1MMIr$U9=APX9}LubTsTO18w#d?5-UgKLV#o*j|8jR8@IL{mK8qc*sJ7 z!v4v1{5ydG`tj>C%gGI9x-6z(TbGgFK%cC=Cvc=vS8@k?`x7>H6TxCGL`@CuDgpuS zGslpKk%$fD7b(1dS(U!K-G8?&e<`VvIFS{J|Ke6)jp3)j13<5~DiV|r%#Ev* z2r0X2uF%w0=9b2jYhgjIdi$`VacSxRHyxUr^^aSwF?}P4jp?BX3m4GHJ>%pA-7PKFv}AIYq9RBBrOly5t>$rqlfgxe#oc4Z-Pe42MH(NlFJ;7mZ)nm2D1C@H^W94@ zz@810?Cx(p*=FRsW(rLocGe&G@}u_hW4eZCUD1XBu@+^~>Y_yf71@pDZ{p8X$=@o( zov({QVGo#hz+;OgX1qUpSQ_DjTSA@yrEl1q3l(j;_L|{DMA6`KJN5{m9tV$aUYf4E zZ)b6bF+=WVAIU_(y=3o zIW2PMTPN(4hHe0BV!7qv+i~Xd7+^c31~rCd-|Bk%2i(3oGs(w}d=QmadEjy5%sbC< z=&lB&jbEfh#=tSWfnZAenq}nuhn@4bnF`nTHCFGr<O6RyRf?wd6{-sOvm zAZt?q^+GlcdZugWy%Z4Ttl}kIh;dX+DP0xOh6T{ZB;UtpGNeM=bmbSwE8wF~3yQMk z7Kid|O79gAwx$aq^3P;TvcKy-Sl7u$^v-U818e7XhJ*AW5uvd)LV4&LE%0ZDMDgOm%GwN;`HkIo#82m`Avk3oU zX)-ltmH$9mJzpIzFz*q8C1&sByVAn8id^}WKP(}k}aN6w4asR|8^WL ztF*S+oSvalD}UY>SP*r)+_BwpdN>`%3v#6Xl~xMIAKm~xn);|wn+FkU@hNp;hYA+! zL&lq12`Z{c8f2PMSVmfVj_cwo;ipTuQeLp6oQ|BBpqKx}<;N;?aA1pG*`4$&l)Gxor@piAWgqNKO_^u4cE+BpbFyFUk0=yPya*80|E{%C zKZSE*lLNd0_2O{3Dz`e;eWvTW(tDm-*hD3@!KEH@Fy8d;ODkVUMbYcOXwzLuixe33 zDFd;a*HAI%8EvH7neUg`da=}hq&qi(wJMnq1S1i?^Y)_gyu~9P#;*8wJY!n*-BM4(nxLGP8bE<{9 zubU479dLya?huMzWb9d*aau8?C0b0<5?}Bag_?RvTeB5IL~U(c*WZU0<{LXYTaq8N z3qGn0K9KO|I?emha@)Fkh+R8%DG)Af%H}jJG5koXu0Cx|{2@neGPt{M%vx-QPfBwC zxn&aZ{5=N@KZ8yvvG!!Lbq}qHEEDmr7fW!ouJMk%hr(1zZTY4?7lCZX74pJ{;^<(0 z6_gS<7?U>9U!6z9IQ=(TjEGH>!n3L#CQL7Hb$<;n6a5&zovqc0v&P~1MqB5vE_`Q6 z-P=Yj8?3Jq>z&p(A-JlC&8(7TV5XPp3(0pivffEJ^KYAiikjPIrkmxW_H%+S!ngN> zk~T|PYA^z&a)#O&DcscinPVq<(u82aJ%y2(mWpIh;VOH1nG?AL?QUQTYa3o0cpuJS znA3fz)LKbkEQdzv^qnadSki?0F90X|_FefXaB=5ZhOs?>_5mx?MR(nvLc=zzR6h#p zp@F&|kK|hlP*$&e&&sle#=Kq8S88|NY}#b^>T&@|OJ_lOHFKVCz|QiMK4!bMQUi0- zYqeBPOd1!Dr=Py6{@zJwjF}jU=<*u-^C#HZgUpY@*|NpRf97!Fj!GHX2Pe<_b0Q4= zkMN#weT-mndA-SGlm;yFka8{SeQdT#?t0G$x+wcNSIFA;^LOJzPD4JktKd@f+ZQH4 zf2H$kTYy9P?hZFy6y>SHIJ8v$^s6BBXOdkNJS1vcAXf1%r&!nW2eNbUdYk9!_gD3q zbTF^80wR6H;dU;5TM_4m=REv%^x%o z56?Z-L|q+|$Phx;^_&uL@0q@d#ZTkJ5=?Y&uXmoQs@iucsofUU@;x)KIPzYjPeYud zJdcU;jtdymQVw0!3*o-7rXz6x-H1C)3rW<|p|m-gU+$}FL=S8HN6LEJZ3?XM|4d!~ zn=I(xQ)T8W%>OT0@Bg0qUy`W*?WTVfLjP+L|GzVdsP4hRLo-a>!GRZ=jWpWntgfA0 z{yXgHtjx9%JbxvB|FUnaH;AO0Lj^qls|RGdZ1Ep!;r}m9AbB7Ikdo@-$}6yWrIg3Z z)*^6m5_q^f?+hbp9QB`2Zz_d-8(G~2024FZ##L$xr2D>vTv?fQN7k+JD@NTBO^WAM z>)v1PDo>yuf?n(^rgGjO91g2|=-~QDPe%u{w;fSF{QUv4f)q081zfm?vC4X>!?X9H zSlkf6!Z7OjufrQM0oz4VK7TlQ=0}@XqlW^SOj+|LOm-O75+=DIeY^evbnQ16Vmzt0r@7KmE zCyN({rjQ%Er(;>8rH-_1vAOJ!M?-HpxwyVk3khFle$S*#t~^SKL5dAzNT&!@wi>{* zAF3#xd)4u@9w*#aB)F6dn~B>fp7I+n1fWHjWjylA%ue9x$k4NZ)7rY)8kUDI^M3sL zrMb-F7AL(B1l&EvWv`wv!BaG0LVeH$f71d0Av5U{f4j=jYKldk z<-PD6QSy(VyupejIP^+>U!aUc}iMrck!X-Dq5DZN<(oe$r<{+$xY4DAkv<@_uzaLvy`&FfgfL$->p97)^>+uPI?7YuC@%_UxLq1o1?JvzKbJ6dViQJ z8x{gcx&XriNe4_jF2-f5%6h?X*(M<~Q`phyxWugbtFgsOiLB}7dPM@@Oz*Ml9KSpA zyk3eI>9N||bF>I4R2hLQ1ls?KzDPVL9QEXk#I;R&rb3Hf3&)cNk+JMtlQz({=)moVCu3Q@ z8&wANE;3EqqkSuB0*U!nvyTzm-Ol!avm4)6>)b_bUV~>dWvXI5i?d^kda)&cFIUkd6&GpNrZUH6?@0kSs1FWRFQ>#>O*LCxs-kgyfS)5I3pd0+3(a?YS_W#l9SLN>h z8M`*pJy9wCyM$ag?=pzw$I2`kbab+0!7x4k*(%$%=zB8C!Dsu=OFxoY8w?c+DeIeu zCO?p#PjyWF>%JCRLGUyQkk9U%(}4eO%zc@!$x_eE7iToZkf5;)@F(-bP@m&HTQ>9d z<0b0SmF>swM9YAGxqClb`HH@I58Wd-#M@;x|Baldr;W_1F?NJOxr>ppv)KK{x3QZi z?IZyX1r6($*y~|kzhdHP0a^)zS+bj}gv!b59a9Xk0MYCqY-Dtxi?B)>^}@*z)PD3w zB` zTMkBnt0cFzu{=}k>Bubq#2T3`Zu`|`rdET9?dCREFDYFaXh`l!n6ybLo!ECfd5MZ=$a^!KY`SZ&6lOIETWe-U&%aL;e zoR)MD;x;W4eAehTz^r(N87+6tbXz?gf)dLut_*+0b$51pZD9T6u`|wr-laY?v*YtGy8&sR&r%=VW%4>re zV&|tvDLsh~G&<20iM|UEQ{O9J``ng)(O{=%>JToVuYV(75Me+XJMHKUcAhbrfB(^h z1A5KFbG?-ZN>boAq)RoOIDlG@!3sOa)pny_e~Ms7N@DXJ2F$VF2^jRP#5i#a*~Pbo zaHKD00gL?_+Pq3F+PuN#fAN85bMEA(|5+p-UY-FC=fJcz80Z51_IaI#zl8MLR4Iif zx5xCI{vlw%r?s1-#fFaa>AszxrMtxd7iB5zTCcvJu4T9eu%D~E)*mke8HUT`8f}hx zjA=_}O-caoSvn^2X(!FpIiu0nC)IamyuC;xFQeBHjq2;91#pQy;MqVoa_CI*nkS85 zBk$+6rU`g<0e*QMVym#cSA8OU}| zuC0BvIlKPU|2J`=8SgZ7A9M8VS(4yi=A=24v%t#Y{05^r+o+M*Y{iyNrufrcBF?H= zYNz`Tx9kfm(#RRD1xe1khP#bffm&9Eb5s&4P!FLCmI@d0_)l()c3Tgwm(SKF|IM@p zGi7q$|FIZtvoK`_1ZTq64>rdF?sE?#+7}M%SOFDo%?-72qk?mm&~tp~maMQ~?T?j} zmF{OuHuf;Rw>|xHoRqZp696Phi-2iGX622^cQQleZf(XTrj?w`iw+x`Ay2GQR8@@- zAH6t)qAe^MlA#ytY>UIClMumLV_2Ehg1C1ljkKob*7Ihm?~O~nLg3w2|8`lw7@8p~ z^7kx%@_Gz|aJdt^nsql?8dAhk+>s|HciLLb;DmL+6$-&ZFsIiYM)Sq00ZLl7T20lP ztWUn!lo~ZDBTq}sa^6#sO@KR3X=F1QDQmZP<_RC9)-cbbf@3iWK-m?MuA z@3V$GS=#xUusl+fC8e;!0H#}ldvm(^y)ZBJnMT{(%qQ`LDk<|`M64sFB?<$zF{Tv8 z!Px!kCVk)I=jK)%+SvV2*M=BHAdpD6@=_8pDrIU7?t>+^w0MnV7iCJW^Ui;buw&?d zQ-Ex?-!VUN8*)>KF^$eWYq&Zzodb3uh3Ixq*IrZwsMNy96mk&1y@<4NYus03+w*nY zLFLFQC}>OgZV!78Qp}&8rQhZHy2peHDFgSJ&@-?IeJHQ=YeXJFPAS6IGf2I8(c|Pj z)^Y^j9o;{?c{+_C1zEIXz|!(EnB+$fK1}#=Tr9_$f`I+BmmH_6!oAgBPhjty{|Pa* zf&5HQM<*wXtVRuF{0;xj&RYh?v?WHxT%YerB_oM=vD2r}LhwY9z6!<70QF>1E5U|R z*MZ(%?1Y%QL$IGseAO_knmD!XcaekM8({gYT55Dp#{) z7er%Y?g{V>a*F5R>AI$g;!v1SMVv`PeR6HN1->TO@8^?VDDchAH=?MZX0>c|3-N%D ztzPdip6aEa5`dHQ>3vdiiI)u9dHK={xS74%s&WT;hOpF+Se|HoMtvR<4_DZoV1LO; z>L|wetgNg;|GXz~tFOPm@olQzxM;a)bWP=Z*!oU^ZpMSLY{+gaJ3YW_?+X>&c{LX5 zqR-WFmnhQLEjuU@OR8noqe6tEIpSy{*~?m_v;DB_9`oLlAj3g+^Xr9LaIO^VfXIFw zzxeDK9K%+~w#|jP;B5PX!{^BHB9IEjjk~WtlM>LP|EhsOQ_#QJP6Yqle@FDTfX*!cF zem;&=dAT}Wxwj>6^Tngm%m1-MsyXoY$!OuvHL;5=P-I;%*GsrDa33+`EJpk4M11kA zdJH?X)9BVVfRg2EorRlz+5BGNC?`$6Q>tjP;F;8CA$@V8=iI5tv^Hg>H?=Sa>Gp(| zf6oLE9uZ`;Sq*wk6Bj1+s(<(&T?U1oj+PuCd4i3^RX~~j2Yx?3 z{OQ|FxWCTCGd>WEn#{_tkrztaDL;|#Gm>&vl$x)eGgAbrjmO3}D&dN;wrMJDtMz!k zirb4m`QGN7onyY$gYYF(mZEE_y`oEb;Ok~D zwgku6%R00^Z9h0`c(6cs|EGlXc8^eXxp=x7T!rq;PxXKVo3u~1LM8=f7?lswFN$41 zHBj9q_#gU>+6T1cNZekhU3URHYSa|a46v@zycP8FPHf=mN(W#=!y%KVE~fDf9<4aO zSeFO`QetArISK};ReXkm3Z7BQB~AY*-Lr2apW9}Um$$rU39tc(g$A=jtpY{3$3^pu11*@OiCvNo-e+wD5*uX){i%)xC9@^0N;bl#%a z=Mu(H@D=9tC8T10yI>;7-(t{6$$G@8S&)`(VNc31Yk=(FF)be6h33wG`nq7}Ns;sQ zu8l2qrz7uzpdAq-LdBY)SY*v}%@1IbQ~21BN{W>h*A!IloawEhF9)dFuek&U?JsQG zl~w(=GjA)?&kkA@H2UH_K*gw7e=;hGQ;VjECpN5l`5%UQS?u-h`~o^3Yd&&Kbc{K0yp$-sg^bP2h}N?Y}hgLJv2$h z>tD)$N}#AumShFS=WuhE@4tCbKfMjf>_3w*a5$;BB=n|KDeLS_fn{M|crifu*2Y_x z@FM4LUf>ev-@vw8f8P`DX-=@s(J=07M@)I&$by9J@3b-|E?yDcH-@aeV}%3sPtoa8 z733wDYeObdN&VqF--Q~Yq|`!13fDV41`-asA7R=d(;yT1_v;0Ei^z#G@xeOl{ZWzB zoi+=`$>5@XEavOBgi!(1wJ!6d!{Y8f?a9XbAM7_z?Jpg z;O*>dCZwvQj_w@;ixlKY(9<(I<&fn!}vXbwf;YdVcxRi^ldEFSiuYG!r0w zGs}+E`(|G4`2%?Yf0blUe$BEtt9lQ?%eocqHudN8W!b{eB&-Q{1!WZR3b#mS>h zhRyv3-=*Fjewq`V5sy!O1Pn6|VK~5fWXW1|Q4k(%$r=)pA6bOeVz?IIJx?N;r z)VQ1r*Q((xo{bbF*Vy_|okQrCIK``{8pf9{mFwFm2yL09&Pvn;rQS$PTYCG7*;Dk$ z*@{}+=EJMm&J8oi4n4-DVToj}hw%5!JZ;kGyGT8l(2+yA?c!C=E|!BTwRP{(^AtLX zzO7Rgp+(_y%dBFiR{>S%Vr->n_C*KoP1DmK2+PpwWAFls-T7Pino7jY+eI(?Zn*0D3#anGtI$XId6#uw=(&%># z-2NaG6Z|LbsKa9jK8ErW=ehY)q5s}X`7z|dokH!;`!}=?+9{*g2iMue74%LJ$8+GP zUrt_tS_LG%ll{X^2ZVMC0!PQ8W3$t}ODUVD0l^CM*$`sRYte6rfxtrV53c7Vr2|?< zJNyO8usw4(^5JSbWFXYFA)A}V`#@q`!nLnAP!Xp?%}AWo+HGHf1rD}$@jg#kvV4Br zYggblk?-F(;lDSirK)Nxc$rh{+~7#yZ{1zNqnTv;Fim2-(it(lmpQbpt|2<^`SR(T zoXNicXT|Yna)h{@cQ{1=>aUDQlj2`upN+~kj=z`(<-e09pkX*C!6C5Vp9TG=_q2Eh zQXp%Jwn`>lO;z;2MZ5n|ZG+cXDy@bleLQY53$y zAO54a#^%q2f4kDE^(NM(U%W2)8!lfrYQTm#QA6(xd-g-VGf4XPxnBT$?uMBG$5$6TH+8dFB(sI8Dw}4L*X1ofxZAKD zv3FG^8CN9Z@{OY*qF@mfw$4YTf8CtntE&hqe7^A}RO77ZMHu2q+U9-)WoOD5ufpK{ zYqz~sGVtDxo5Dky4uQ^!LlVXV>AKp!!qUk@33PZn9?{{Tk|47+J@+Qp^GKne4OUKB zCf(xbU$Zal5p_3Wg-Zb)rn~Bkjo}&v=18lhI1v2__%}FD*U5tOkji;C^_DF z*(TX(3KLwL0=!@O9&A)g6Um7%Pv42gz`=b2- zmNv>f_H;n9AT)g3!ow}a-;2UaHbKFK+#`p0*R-zzD9O27BzzH+u(o8U_YOp(DjzWDch+#eBG zj$zhi6YIA-;pUhm9hH1sFX;7V(UthEo zq5EV_JRo_P8G$)(l6C&!`UvNw4(7*s(<*RDc>2Jf6u2GI@cd%R6E2wOyNB;FtxzU6 zpX~oUS~ZXYPm|Vq6mftQDeS8e%bR^~>LzWiNm!Z7cw-BJIZ>;8+F2_{iN;SBl0q1& z$RV`r{nkVm!Lz84v3w!s26EXO6&JEB-6w4mP*7x-CR!6D@+?xqIiKodR@q40haIL; zZ>`UaFE8lC$K<>ReKT>^q~UlwM)N@BynQ!k{aGlRMM`cPxI-!GR&zA=s`Sqs%ZAot zb4lTlEx8WQr!>4c+dxtvefe2~YVXE`%y$pRwfV^oB_Ye4!_~{cjV+pKI+_U?t;Do? zz0W3%6a_Fh|4%A@*EvHvpk&9(OU?Z`*c`^+t#8<@3M+DHqwfEXjNs4vsK+74J4=5* zDW3UAvtzs^-@&Q$$=wQ!aMo--umG?1H|B^?HS>xHsQr7)nMui8>(Q!S$l-NK?Z(07 zZ98sSy%h)+adBK-R9;=A&o59zH7vZ|^2;kpxm9dBRQaqM`Lnx=B;@dbzq$OD-Vpk+ z-yGh67r4#)U?3r9$CET?Gb$Bw!4RI5V2gdfQuL117Pg5lN@|XASSdpDHzfTXnh{qK zFK^iGO;Ca2OD7b)jJhM}2v>8eHytY0deTh{VhKi3j1{4{jK9-W0hf zK))=|2&DfTQXF4ItDuwTxdGJrWi5=UjrQ#^u`n^bVRFy^a`f32yA)u2sHQLc)kEUQZ7Fk&*pI$-h-9Zl|b6 z_i0#gYOpeY*y+M}N^?jH20}eNxOu!q?ac;Bx{zHmwYfzXS{bpu?GlT(7W!u-QU2DG zloM=~7fB}3Fj6ApZY?r+5bj>CFwie9nlkP_clP1q~{f6{x9Ee@)ddbo)lU5 zS;hZ-ZH}jbVcUc@LYeR1z+rUzDYZQ^Qy%;miskzH_4mIP>u~HQo%=tesQ*``mNHiy z+mkm+cSOwjNkFto&&h0CV8dUIgVe%7Tx#ko?H;L@KdymVe9C`xb**P$T=221GGEcQ ziiM}*t~0ekt7bM{UbUj=(flaun^Ws`DU|P5(@yj!v&WjNwS-x~Q_?OiR(}hma8lvV zI`%M|fwi^S|#5>Z%vfu8{}&u{Ptg# z{wO6;cmc@mTOMb9b76WDbi!g~6k{)@zY5$KyEJr9R>L#1)2I3Q=&{~WCJtF?C zXVC8u%D>B!#Ng>#-$+vQe=w;giKaJDH$UEp`1EPClGqCq;v-GzLHxq1D1GlFFc{D{Ox9=!eh`SZl8LcqbWG|?N4+6>Up(1;lu8y#ist5#IHC8()TRvC1H4QL_j zdefIIa$;U5-cF(p(!_0*;rL5~DXkCDT7?R8#5J25CV` za2P>)6R<%jBE1XFC<8c33oVpT1VRha485pGQITFPh|-IcNJom)U}#DUGSq}729P4( z8+B&9bMM?c>-!00u};o;v!DHxy~EUf*3!^PRXVgSn^Dr~R%;!^Tr5R!Veq+8x95bo zeg>|{Axc%{A%A;jo`CZ8GYD0MfR9dhm-g3Mp-KtIMy(2`1P<|qId9DM`lv>j(RAxb zNlQ2?h(Qu3us-;iT;^RU*bp-?4{d&@5yRP%tlBg^ZZkzS(%B&pT$mhM8tpP_kzF4^ zezU=LTI+()i65?97^nUr4k^fCy&^bJ^vYJYmcof?R#6{NNfrZah!VEl7IP8RB`l(VHk%V zNhF0s`n!#LrpCH0%| zXIAxCRxbrfQ+jOVkvULEZba${cE5gox7K@pfrpeLZAWG~XNtQQY0QBpQ+;7YHC*qb z;t{q`v#9!pE5x)bm;=eliC%Eux8=x<%DNmR zlY9V8XrFUH)!esl%&EX8>&+pTuc4M|`iak`Pu`-%`9jryK6_Vz-U!87W?ue$eSzzw*J+oa1 z$B*NsI8_JimR@(_r$KK1B-U3}Q;j|nhM0)EZN|ym!>M=g3IRW51ZoE}Efqv0A1AcO z_$V~9V8O$|(lM60LC!){oIG2l(Qx1Nb8cvp>_uap1kFxbU`#w+gxqK@jJ6ArH1g&z z%^Vd7WYgU`uEnHvlWQ%P>P#zZ{}Uk#J5^I_g*B+b=x6o4X=uanWoAgqLe$5D(x^{s zG;u;HD2t8T2^T43LRoptPGGz=_#mjiC6Y;OxR@7a-tCE1nCpH&?tQ;mf$Yt_Cr0SZe0ksSTi$$C}uYE-Yc9%-JP z=&fXh+Gunjjc`;=3FM`F?Uo%zGcV77Y1e7BQg)uKgcldxJ6!aGQ*Mj5mA>VD$8cjl zpNd3aub7Lr5w%L<0i=wtrysVTZb$!b=EDR}o}GSl0R+r`2Py{WzWwh&^=-S3tf zi4Js+qhmHIyCZQoo2luul0>)L=-lS=7}48-R!K4hQ?VL-P}cOqA!Sy94+_dS3|t#U zEEYG&N_>4^oK7NfsMykcxWpR9AAe!E&`gApkK)u-gS_#x$$hOnJmk!)2!rkHjDBWh(m)Z`d}~(nd(}J_3c8=n3AN z`+tHc;w(>rNy)IhMx_;c0jHU4RA?$a)r(sziKkj?qJdJzm3WCFXQv&QQy3)RV5b#M zf)}jVdNT{GqMae@TCds106&IJgY>&K2r?4V`b4W2*B+=9mz9-a>p)bd9KfYnH7c_> zIWh4!1yu=&-m>wCE3~&B4z}*F371-i*wrArIjmz6*m;?F*_-^S0%O=)q~o-6yyrP0 zTxpBJoq~%_F1HI%htso^U##;`ONLoX_NyP%8U0#XQ={;@vok?AmfK7eu!%mcIj-{e z5M;lRD)%sJis@{ z`i+)z1bWvn&Ln4S9xlN4&?U{in`<`%j`^kqkw(ix$b^M~ zM>@~9fXB9=VT%atAMUCEJ%n|Bv&@k$LwW^z$o;RF#JUT0n)t99h7RKx1^$Fle+wI| z^Vw<`G*c#{)hGvE=XOY_lquT*GDoc?6_b7V5x5Chek*N8to><|;=*tU!QzC1vZ&Zv-#GI4MC-t<}fpu&RfAaO@hD7LhH1 z#DpW(=!k>fh{%$Vl;STJAP@&tUK;eXw2hGESKfyDnl*xcVl2(v#3pPDU6@L-Xoh%` zn&4v&`Z&=g;RN6)zXnY#30Rn3uSJt-5wmByzD2343ShyoZ%9QkfNdPbmsDN==OliS7E@Z z!d^N$I|@Bm8PdRqn?ajhIunEfUK+A)u5`Avd?u*aPQ`G~jYllEH>7VwuUQx>R9inz>x$~h8 zlPI|KQ;NYaeOHq}4-Uf25&S=}vlpGL)xC2}$YrGX!S?p{q50O2&iFhtJ1Ytt%$geH z?Bvf_$B}g|Tp*T9T4EPwLoil>{(`1isZ+sYP0kahVo9+wygYx)T6~lYM(4wl=ILGC zcQ=s z_ma#}cNM+o7H048D*l>mlW$y1tGdxs>(9+9@+M)*v>XRA)k1>Tm){w!KC+x?kDXnc zZVfm9m9uzj-F4)2akX7X9Jq~u9N;(XZpOq^Tm*6mZ{&Hw(?-t|nRyj{no11g>LPit zzxu#3PCD`!7ch{k&0uLTS6Wtb=t%`8p|qkzMRJGXa9dq0J!;MDzMbs5(l^P`C3r z{Ka#lU;Q?TM|a~kuHfWAgmYTLK1=9yoS_4DIZr?H6nHSz7ros#7g#G~i>&5!Da?Y; zc+Wk*M$`6h@F2(M)wq3`9v&H)B+G8Pmr4jrQs{{(MTRkk=>u}cJA!%tigDta!)U9> zlFhiY5*&GGC>+p5j%Sll^}QT(Q5IL&@G3NvwYk!NV-CyTQW!cbT$%!G9Cq3y)C6{M z-7sqAg>Bp6XBM?y4aK@o!PTF;PBP`Q@Kj;Wu!}(TxMNkplezKWPo(I5S6TiQDN;P_ z&UdEDAaC<`^d8wz@S&3cXu%+de?#|~%oLXH2+-nV>>w@7HD<9~tEOp(Ml8I)ugG>pD?W00LwgNeS@4geCG4$} zZLu>EpZ>y1(s6*5Y*f-`zyMr4pz9B$2DD^C9im<{oj&hh%HrPeDX&5LA>AQ~BYyFp z*z)$wNA`%}!M?|rsFGsSC6YK7Y6WQ7WE`Cqw7^DhF1 zP;zFT2rq2~e;hS-tjE9Ux@|D2D0U&s732_Cx9xyWQ_8HYk{sm`OGaR(={pE9um;@7 z6L9h1r04f%Dgr;oQ(}j~pI19@TU7X=RAOf4av2mg+8EsEINd_WfAmb@y^W_R3;q{@ z0pJt&A)lvO(nMZPwYRAzwV!!&F~qZnp*0%1CBby~xw_vPLKQVkAt=u8DxI_ZLEIE& z8E0}ODj>wGPW{GqDZjiFYOdphRJIwtRdet}h_l0f3TJoOh<6%4DIjFI`Fid+serF* zub+D9=+ ze;}!yap~V0RtB#YK6N{Xt{nf=!2C;I65!LxuX}ITx&Gs-+<&!s{w8Vw+7AX+-UJ}j zTm;!jBd^cbS0^QaSalzSP*snMiNUXU#U7K^8ZNdxy}rIq*B8AAih4zRT^!KWy34XO z$d@}Bd5JM`al=SUEP9}udbe)VOFT5mX1)^D6aDFOlwG)6H4~-ZU%Ty@Xs0w+QDIQs zZ`YOCcVu(K*$mZsuG)RdDqFTxfc;>o5IJW5G2>t(5& zbjmFR1s{Z?1J?aiD64OO{^=*2{5cx=PR#D+Yar5)Sy(oZNaSmf1i$Cr02cYe?P~Ac zzfT56dmt|{9RwXxYP%uw|H=%pLS`>b2)DoBi(tQ^P5+|eMm-vBB2 zMoB*v!)DNbZ>inKQL1hldQ=r4D{kt6z-##4l|S<0f{UHfRM_tqST+0wAr zm!EG96noCJH(<;gZq!mX7i4EYetg_Aj<^sGRm066+1>0EiC@^S?zc`PMuN<*HE0rm zK=-;SG#q{Nu)~Rp)?e7V<&8_Mio$<{!<5hqIo+p>3sdIjZlzDZZ;Qd;m)WTJ{{W^4 zu`j@+oMA-2%91v#CMTqTPHhgi-sNlGi1&;z$p`=FN^OtGvwg#IGtjRl3!Y_+bG#c5ee{?{{j^rc*#PTHifZ5WN_Q{y6d98t~leFREQmNb2YEVXiW zAFNfOCN={G8FO_tS|A8lbdSD@lL&)ol_@fqifM6mQFTz+lmpEnKxJ^+ugJ7a>lC07 z{Vx`S$m)(_PU&8FRcEYB|7-vVB;kx63M|P_C;`s#M&1?wJe&}bVCyd38oLg}+Pi?d zEO?G@OT}O5e)ZZMHKgVAk_O8($4#q*T3jzgmVl$xJ6xbE2S}i zgbAd4s}dOP!9oui-xXfWeLh)-!jhO%$ACOG%%!qQw}7hjT_-q1rKkC;F^sLvrMoW) zMr(wusMmGe_(EYmlbairfAFE|)>U}*;gFBE5GnOjW`-M=K2g%V$~7xVt#Xi{>z+f` z{Y@qN9)Y6vxnv?ZlndEyxc*=;;f6>oV!uDNzKvM|QBy2MsBf&Wgn=@+^E>Q3{2g|Z zPU4aFjf-RE0#by$c$7iqo9*gi#UTcYBv$>MBvu6^v79DJu?XeDR>niQco`284jyIl z)Ti1Ruj{*&iZY7e!jo?XK=kzSM;rie08g?tgTd7iJf9Dh=Q!xIe%3B+SK50S*Gd=H z%xQfix8xG75p6(*b%wUeV7xlFREi@>il91IeR_fNc%?wx?0b~S0-cjN(7+;3#J^Kj zJ+GtVKiF%YT!47;le}Xb@$4yg2{oR z?)7V3hET(}EwI*Xc!tf13mi1E1k>IK%O(~;j2yAO0RIs&LgNapVw!cZUN-CxZftHG z50a!AVx-%2X>VBF^rqQ#If;|I?L`uadwSCQ-=W1{gZM+%#;I#D%sD#R6Ku%;zS0q0&BDq34Cf^gI}kkbef}gzV1~2M>dU8!hWf5_Kl6@ z>+60WZV)J`xto$ye4UeKsmDv|%PfKv{eR^I!yQKkA|EwIpAi?o(3kQ0F6aSnPH9s% zk)T5tIVh!XQED#f8%@%Q)cyy0*>9akz=UW_3GeD<2ZHL7jjBG`20;F&uCj)Og@qg4 zmHosp6!YxV#1)Le(;F&@dgh|uN55H{Gh0hN zHU_L2m0bh@yRPm#3Om4fC|PaF?3RJXWbH?=+s5SCuR8hwi0+FU9EP7LuzXonXx(U~ z&RP8xi#omWEi7IjgzmMs?TNYHdc(}j>;qVcvOVVlmb~+--7q!y9TAeX|HbVgyMr+U zFdg!^+r4&{BURQh&Z@8Tu80p;)U~1KpSm&;Z%z4!0h*3T;;>~sf3K!-R+dn-u8te) z@7s)TnE)Io2fY<~yq#RjVp9M(CWu&1^Da-k9O3R}DX9q}Z9Lk$dx8HhMRuD(7Hjif zy5bNg4$cmYuT$+OE71)rE8(XG*~5{X-0%f@R^G?jAnljR*K#z;o!}79BlsscE%C5_U*vZW#j^FLur8tv<6NS|J^u_dlw&;$&u=m!{yr!Th_MKwa(G7N^}+#mSa zG?p3wO9I>-;F8z_K09nmZ~;fYMf<191WnHf8N8dk&(c*8&#p5{3#_={o092FZaK#b zh8BzqO@+Wa8163hy(`4~r^Ghqo)p59&sRk)j{wez9-i(`GWFwsAyYeLb{&U?X?UML z9Ne9b7C;v~4qa~B*%!hIrJQr0v>4G&kt?+T*W(ps7pCzR4B@EqF9ErUjU+Ibk>Y*J zJGL3^DNLH?*5xW*wW<$T^a2W~fl`9cO*au5ev&AsjyYSW*M4{T(oW!gs@?DJ`PBr#r)omM0-ph zxZdT1-(h{}hdGW^xtZ_Z_P*A_gO$pNYndcaWr(jw`Gd&Z$9M=^# zUr#j=yD6zTe%!NFzJGpOyHk3?UjM5UmtaVd;-Vq9LQ!2c18JW!b97$2s&DoNTj~?r zpE@o}$T+=iiJjEQ@lLbK)r!m+E&w+si$gktJurrgaIF5*Tsn5_sDy@Jo42o+Axr(LYae+B5bu! z6k3nv(9y}CLC2>WOX6jaSmA*~9FQf-H$Pw-f{E~)9f(Lwk)+&UKhSP>$V6gv8Rr>O zw$e*Ku&tD`ir1W!2ZMdpg4CNVq4c2)5-5czeIg2<7u#?*9c4uO1?uuw&+>)BQpg_6 zI2Ok~nkx2PJ7~*SUezGk8v><6a9#J4WSQnBuCJ=G>TDVtGDGeypgw}_=X_z+{_U(Z zlh)q7asg?J?Q$iMX8@k_z;Y0)P(c7ebUkkG||gY&?LA17E}a++QhtglwYCE?IIYO} zI+BD;WF+u|wEyA<<`a6`<7WaW3TpQp}=gPP@j9$FXaL~qHyO1ru=U3Rt^cb1{e^LH0A-aj+vzl*^}4UG>SEs% zSbO%wtil1{V{Y`TSLaKP5|Aq7{=Ok=!X!0VkNQ2LFL^ zPL@$fJ4FN~B?n1zoV#Ed4Ei~zU_l&cGFnf!UyfT$>1T{H0%VO`V6*ftz9RI`@WNy@ zbQ9A-K%@5JWAL?SOD)b!@tRYL$3L=$;5B!bf47E${;-CoZU8O>q`q1mgVyp=JrPAk zv&NOT6&+;_W(@~B^6ryofT{Ur)^zjVI2Ubq`-f7so_Or_(BW9*Wbna0whkzYGR|*~ z7eswYtION9Gppv*Vt6WnlLs;A*!Vf);f|SP9XTQpL5Ckz5U&vN(AAi0_#f1bdqE<93AKI+#_E8Lw z03k<)L0aH($Nu!(_MbkH-xr^#$d=+06*<=oXkERU7(_NHwor5)dj3EzN#M}oB)chr z@yEYhx`W4>6v3awySTa*O0Et(iY86GGy!uSPl=+UqKf(kmo9mqkl%s)XcRilNt zew6`5tqVBXeSxFHE~eL6p#~f-QbB0Qof&5!18N)UZhw&h?`0qOEW&U;v`!MOWz0`7 zV!{u-*}p{=ELHzKvfv6loV}bWdFMChVL*}B_%6Kw+Lf0Q&T(aJP$ zu}iBvmGR7HJrB)GymM_V?`YY_GhBwA&(^H4i|a2WakTRDUxv=;jvu-syWLR*A3`Xs#r@ec?7{-1t5t zZ7mA$Fap~0UB5c^;eed8J9VY9-&zi<_rjree{s+Pa>|5KTG+Y1%t!9}cI|hD9pT3J^NNAkf&RzL2lo=yWMm`9I{Q)0UN#YJ|=wdn6=yUD~2dU zJ!A;d;TPA1CPuO!5Z^S(IbxBSeU!=UQ8_XX~a? z(M!-qV+;Dx1;U+z%v4Lc4R~}!6k@nlT0=fV5jv_*idTg^3jD$5SdosyA9~Dg!R|?PGPDgI|@!} zt7<4t7Ni&dLotvv4>5cSyz8tY^XfT8vCWNJWJNw$_1hAzT{)z>{HC2PjNz%bGs0S$ zZx`%woIXv-YL{ Date: Mon, 3 Apr 2023 10:19:27 -0700 Subject: [PATCH 04/41] faq-7760853 --- windows/deployment/update/wufb-reports-help.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 40a0c084d8..90184b8f3e 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -21,7 +21,6 @@ There are several resources that you can use to find help with Windows Update fo - Open a [Microsoft support case](#open-a-microsoft-support-case) - [Documentation feedback](#documentation-feedback) -- [Troubleshooting tips](#troubleshooting-tips) for Windows Update for Business reports - Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Windows Update for Business reports - Use Microsoft Q&A to [ask product questions](/answers/products/) From 40fff0cf04345f63fb0dfd71d3ec85de18f43884 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 10:22:20 -0700 Subject: [PATCH 05/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 813dcc21f4..06ca65e34b 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -40,7 +40,7 @@ sections: - Configure [manually](wufb-reports-configuration-manual.md) - name: Setup issues questions: - - question: Why is **Waiting for Windows Update for Business reports data** displayed on the page? + - question: Why is "Waiting for Windows Update for Business reports data" displayed on the page? answer: | Typically, the **Waiting for Windows Update for Business reports data** message is displayed because: - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. @@ -64,10 +64,10 @@ sections: answer: | Here are some reasons why you may not be seeing devices in reports: - - The device isn't enrolled with Azure Active Directory: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - - The device isn't sending data: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - - The device isn't active enough: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - - The workbook has limited the results: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the 3 dots beside each component. + - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. + - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the 3 dots beside each component. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. @@ -89,7 +89,9 @@ sections: - question: How do I confirm that devices are sending data? answer: | Once enrollment is done and devices are properly configured to share data, wait for 48 hours for data to start showing up in reports. It can take up to 14 days for all of your devices to show up in reports in some cases where devices aren't active or online much. You can check to see if the Log Analytics tables are being populated in your workspace. The data is ingested by the service daily to generate reports. If you notice a day is missing, it's possible that the reports service missed an ingestion. To confirm devices are sending data, [query](wufb-reports-use.md#display-windows-update-for-business-reports-data) the [UCClient table](wufb-reports-schema-ucclient.md). The following query shows total enrolled device count per time-generated: + `UCClient | summarize count() by TimeGenerated` + :::image type="content" source="media/7760853-wufb-reports-time-generated.png" alt-text="Screenshot of using a Kusto (KQL) query for time generated on Windows Update for Business reports data in Log Analytics." lightbox="media/7760853-wufb-reports-time-generated.png"::: - question: Why isn't the workbook displaying data even though my UCClient table has data? answer: | From 93a89efc93f772c0d01877868582a86bc9777a86 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 10:24:55 -0700 Subject: [PATCH 06/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 06ca65e34b..41773fb5b8 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -88,7 +88,7 @@ sections: Volume from the CDN is calculated by subtracting the number bytes that came from the cache server: BytesFromCDN = BytesFromCDN - BytesFromEnterpriseCache - question: How do I confirm that devices are sending data? answer: | - Once enrollment is done and devices are properly configured to share data, wait for 48 hours for data to start showing up in reports. It can take up to 14 days for all of your devices to show up in reports in some cases where devices aren't active or online much. You can check to see if the Log Analytics tables are being populated in your workspace. The data is ingested by the service daily to generate reports. If you notice a day is missing, it's possible that the reports service missed an ingestion. To confirm devices are sending data, [query](wufb-reports-use.md#display-windows-update-for-business-reports-data) the [UCClient table](wufb-reports-schema-ucclient.md). The following query shows total enrolled device count per time-generated: + Once enrollment is done and devices are properly configured to share data, wait for 48 hours for data to start showing up in reports. It can take up to 14 days for all of your devices to show up in reports in some cases where devices aren't active much. You can check to see if the Log Analytics tables are being populated in your workspace. The data is ingested by the service daily to generate reports. If you notice a day is missing, it's possible that the reports service missed an ingestion. To confirm devices are sending data, [query](wufb-reports-use.md#display-windows-update-for-business-reports-data) the [UCClient table](wufb-reports-schema-ucclient.md). The following query shows total enrolled device count per time-generated: `UCClient | summarize count() by TimeGenerated` From ca4ccd49ba4c96ab66370cb970a84d8ad25116fe Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 10:28:06 -0700 Subject: [PATCH 07/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 41773fb5b8..615ca693bc 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -40,7 +40,7 @@ sections: - Configure [manually](wufb-reports-configuration-manual.md) - name: Setup issues questions: - - question: Why is "Waiting for Windows Update for Business reports data" displayed on the page? + - question: Why is `Waiting for Windows Update for Business reports data` displayed on the page? answer: | Typically, the **Waiting for Windows Update for Business reports data** message is displayed because: - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. From d6832a362dc846d6add97da3f6317d37ef5571f3 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 13:52:20 -0700 Subject: [PATCH 08/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 615ca693bc..203f718e8c 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -10,7 +10,23 @@ metadata: ms.author: mstewart ms.technology: itpro-updates title: Frequently Asked Questions about Windows Update for Business reports -summary: This article answers frequently asked questions about Windows Update for Business reports. +summary: | + This article answers frequently asked questions about Windows Update for Business reports. + - [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports) + - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) + - [What Windows versions are supported?](#what-windows-versions-are-supported) + - [How do you setup Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) + - [Why is `Waiting for Windows Update for Business reports data` displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) + - [Why am I getting the error `400 Bad Request: The specified resource already exists`?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) + - [Why am I getting the error `400 Bad Request: Identifier must be GUID`?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) + - [Why is the device name null(#)?](#why-is-the-device-name-null---) + - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) + - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) + - [When should I use the UCClient versus the UCClientUpdateStatus table?](#when-should-i-use-the-ucclient-versus-the-ucclientupdatestatus-table) + - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) + - [How are the calculations for Delivery Optimization done?](#how-are-the-calculations-for-delivery-optimization-done) + - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) + - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) sections: - name: General questions: From eb014765ff61ccc3a98757eed4b38c08f893ea87 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 3 Apr 2023 13:56:10 -0700 Subject: [PATCH 09/41] faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 203f718e8c..ad30c3ab24 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -16,9 +16,9 @@ summary: | - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) - [What Windows versions are supported?](#what-windows-versions-are-supported) - [How do you setup Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) - - [Why is `Waiting for Windows Update for Business reports data` displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - - [Why am I getting the error `400 Bad Request: The specified resource already exists`?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - - [Why am I getting the error `400 Bad Request: Identifier must be GUID`?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) + - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) + - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) + - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) From ba603ba78cf38542999387f10293e6b624c428bb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 5 Apr 2023 10:34:18 -0700 Subject: [PATCH 10/41] add do section --- .../deployment/update/wufb-reports-faq.yml | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index ad30c3ab24..f00b3fb7d2 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Update for Business reports. ms.prod: windows-client ms.topic: faq - ms.date: 03/31/2023 + ms.date: 04/06/2023 manager: aaroncz author: mestew ms.author: mstewart @@ -12,21 +12,33 @@ metadata: title: Frequently Asked Questions about Windows Update for Business reports summary: | This article answers frequently asked questions about Windows Update for Business reports. + **General questions**: - [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports) - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) - [What Windows versions are supported?](#what-windows-versions-are-supported) + **Setup questions**: - [How do you setup Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) + **Questions about using Windows Update for Business reports**: - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - [When should I use the UCClient versus the UCClientUpdateStatus table?](#when-should-i-use-the-ucclient-versus-the-ucclientupdatestatus-table) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - - [How are the calculations for Delivery Optimization done?](#how-are-the-calculations-for-delivery-optimization-done) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) + **Delivery Optimization data**: + - [What time period does the Delivery Optimization data include?] + - [Data is showing as "Unknown", what does that mean?] + - [How are the 'Top 10' groups identified?] + - [The GroupIDs don't look familiar, why are they different?] + - [How can I see data for device in the office vs. out of the office?] + - [What does the data in UCDOStatus table represent?] + - [What does the data in UCDOAggregatedStatus table represent?] + - [How are the calculations for Delivery Optimization done?](#how-are-the-calculations-for-delivery-optimization-done) + sections: - name: General questions: @@ -99,9 +111,6 @@ sections: - **OSSecurityUpdateStatus**: Indicates the status of the monthly update that's released on the second Tuesday - **OSQualityUpdateStatus**: Indicates the status of the monthly update that's released on the fourth Tuesday - - question: How are the calculations for Delivery Optimization done? - answer: | - Volume from the CDN is calculated by subtracting the number bytes that came from the cache server: BytesFromCDN = BytesFromCDN - BytesFromEnterpriseCache - question: How do I confirm that devices are sending data? answer: | Once enrollment is done and devices are properly configured to share data, wait for 48 hours for data to start showing up in reports. It can take up to 14 days for all of your devices to show up in reports in some cases where devices aren't active much. You can check to see if the Log Analytics tables are being populated in your workspace. The data is ingested by the service daily to generate reports. If you notice a day is missing, it's possible that the reports service missed an ingestion. To confirm devices are sending data, [query](wufb-reports-use.md#display-windows-update-for-business-reports-data) the [UCClient table](wufb-reports-schema-ucclient.md). The following query shows total enrolled device count per time-generated: @@ -111,4 +120,29 @@ sections: :::image type="content" source="media/7760853-wufb-reports-time-generated.png" alt-text="Screenshot of using a Kusto (KQL) query for time generated on Windows Update for Business reports data in Log Analytics." lightbox="media/7760853-wufb-reports-time-generated.png"::: - question: Why isn't the workbook displaying data even though my UCClient table has data? answer: | - If the [UCClient table](wufb-reports-schema-ucclient.md) has data, but the [workbook](wufb-reports-workbook.md) isn't displaying data, ensure that the user has correct permissions to read the data. The [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role is needed to view the data in the workbooks. The [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role is needed to do any edits to the queries and workbooks. + If the [UCClient table](wufb-reports-schema-ucclient.md) has data, but the [workbook](wufb-reports-workbook.md) isn't displaying data, ensure that the user has correct permissions to read the data. The [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role is needed to view the data in the workbooks. The [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role is needed to do any edits to the queries and workbooks. + - name: Delivery Optimization data + - question: What time period does the Delivery Optimization data include? + answer: | + Data is available for the last 28 days. + - question: Data is showing as 'Unknown', what does that mean? + answer: | + You may see data in the report listed as 'Unknown'. This indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. + - question: How are the 'Top 10' groups identified? + answer: | + The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). + - question: The GroupIDs don't look familiar, why are they different? + answer: | + The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. + - question: How can I see data for device in the office vs. out of the office? + answer: | + Today, we don't have a distinction for data that was downloaded by location. + - question: What does the data in UCDOStatus table represent? + answer: | + A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). + - question: What does the data in UCDOAggregatedStatus table represent? + answer: | + A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). + - question: How are the calculations for Delivery Optimization done? + answer: | + Volume from the CDN is calculated by subtracting the number bytes that came from the cache server: BytesFromCDN = BytesFromCDN - BytesFromEnterpriseCache From 79e28b96263d4f3c294abff695f8da41134fb9fc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 5 Apr 2023 10:37:42 -0700 Subject: [PATCH 11/41] fix yml syntax error --- windows/deployment/update/wufb-reports-faq.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index f00b3fb7d2..7e97692b5d 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -122,6 +122,7 @@ sections: answer: | If the [UCClient table](wufb-reports-schema-ucclient.md) has data, but the [workbook](wufb-reports-workbook.md) isn't displaying data, ensure that the user has correct permissions to read the data. The [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role is needed to view the data in the workbooks. The [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role is needed to do any edits to the queries and workbooks. - name: Delivery Optimization data + questions: - question: What time period does the Delivery Optimization data include? answer: | Data is available for the last 28 days. From 946bebb93f6489214d60686dc93dbe379f7df76a Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 5 Apr 2023 10:46:42 -0700 Subject: [PATCH 12/41] formatting, linking --- .../deployment/update/wufb-reports-faq.yml | 26 ++++++++++++------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 7e97692b5d..bcbb2be44b 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -11,17 +11,23 @@ metadata: ms.technology: itpro-updates title: Frequently Asked Questions about Windows Update for Business reports summary: | - This article answers frequently asked questions about Windows Update for Business reports. + This article answers frequently asked questions about Windows Update for Business reports. + **General questions**: + - [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports) - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) - [What Windows versions are supported?](#what-windows-versions-are-supported) + **Setup questions**: + - [How do you setup Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) + **Questions about using Windows Update for Business reports**: + - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) @@ -29,14 +35,16 @@ summary: | - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) + **Delivery Optimization data**: - - [What time period does the Delivery Optimization data include?] - - [Data is showing as "Unknown", what does that mean?] - - [How are the 'Top 10' groups identified?] - - [The GroupIDs don't look familiar, why are they different?] - - [How can I see data for device in the office vs. out of the office?] - - [What does the data in UCDOStatus table represent?] - - [What does the data in UCDOAggregatedStatus table represent?] + + - [What time period does the Delivery Optimization data include?](#what-time-period-does-the-delivery-optimization-data-include) + - [Data is showing as "Unknown", what does that mean?](#data-is-showing-as--unknown---what-does-that-mean) + - [How are the 'Top 10' groups identified?](#how-are-the--top-10--groups-identified) + - [The GroupIDs don't look familiar, why are they different?](#the-groupids-don-t-look-familiar--why-are-they-different) + - [How can I see data for device in the office vs. out of the office?](#how-can-i-see-data-for-device-in-the-office-vs--out-of-the-office) + - [What does the data in UCDOStatus table represent?](#what-does-the-data-in-ucdostatus-table-represent) + - [What does the data in UCDOAggregatedStatus table represent?](#what-does-the-data-in-ucdoaggregatedstatus-table-represent) - [How are the calculations for Delivery Optimization done?](#how-are-the-calculations-for-delivery-optimization-done) sections: @@ -128,7 +136,7 @@ sections: Data is available for the last 28 days. - question: Data is showing as 'Unknown', what does that mean? answer: | - You may see data in the report listed as 'Unknown'. This indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. + You may see data in the report listed as 'Unknown'. This staus indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. - question: How are the 'Top 10' groups identified? answer: | The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). From ae64de71023cd05d86640a45ab6d37c81dca8bc6 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 5 Apr 2023 10:49:36 -0700 Subject: [PATCH 13/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index bcbb2be44b..af078639c4 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -103,7 +103,7 @@ sections: - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the 3 dots beside each component. + - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. @@ -136,7 +136,7 @@ sections: Data is available for the last 28 days. - question: Data is showing as 'Unknown', what does that mean? answer: | - You may see data in the report listed as 'Unknown'. This staus indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. + You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. - question: How are the 'Top 10' groups identified? answer: | The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). From 307101b761a91b4960ed0d6761d52eb0e27515ff Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Apr 2023 15:02:36 -0700 Subject: [PATCH 14/41] edits --- .../deployment/update/wufb-reports-faq.yml | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index af078639c4..77779e3759 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Update for Business reports. ms.prod: windows-client ms.topic: faq - ms.date: 04/06/2023 + ms.date: 04/26/2023 manager: aaroncz author: mestew ms.author: mstewart @@ -31,7 +31,7 @@ summary: | - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - - [When should I use the UCClient versus the UCClientUpdateStatus table?](#when-should-i-use-the-ucclient-versus-the-ucclientupdatestatus-table) + - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient-versus-the-ucclientupdatestatus-table) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) @@ -103,16 +103,31 @@ sections: - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 250. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. + - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. - - question: When should I use the UCClient versus the UCClientUpdateStatus table? + - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables? answer: | These tables can be used for the following information: - **UCClient**: Represents an individual device's record. It contains data such as the device's name, currently installed build, and the OS Edition. Each device has one record in this table. Use this table to get the overall compliance status of your devices. - - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. + - To display information for a specific device by Azure AD device ID: + `UCClient where AzureADDeviceId contains "01234567-89ab-cdef-0123-456789abcdef"` + - To display all device records for devices running any Windows 11 OS version: + `UCClient | where OSVersion contains "Windows 11"` + + - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. + - To find device records for devices that determined the March 14,2023 update was applicable: + `UCClientUpdateStatus | where UpdateCategory =="WindowsQualityUpdate" and UpdateReleaseTime == "3/14/2023"` + - To display devices that are in the restart required substate: + `UCClientUpdateStatus |where ClientSubstate =="RestartRequired"` + + - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update and one deployment (if relevant). + - To display information about an error code: + `UCUpdateAlert|where ErrorCode =="0X8024000b"` + - To display a count of devices with active alerts by subtype: + `UCUpdateAlert |where AlertStatus =="Active"|summarize Devices=count() by AlertSubtype` - question: What is the difference between quality and security updates? answer: | Windows quality updates are monthly updates that are [released on the second or fourth Tuesday of the month](release-cycle.md). The cumulative updates released on the second Tuesday of the month can contain both security updates and non-security updates. Cumulative updates released on the fourth Tuesday of the month are optional non-security preview releases. Use the fields within the [UCClient table](wufb-reports-schema-ucclient.md) for additional information, such as: From a5d77367b77b9f63985c2a2e32904ff1be57959d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Apr 2023 15:13:42 -0700 Subject: [PATCH 15/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 77779e3759..8cbf8aaaf3 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -31,7 +31,7 @@ summary: | - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient-versus-the-ucclientupdatestatus-table) + - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) @@ -112,15 +112,15 @@ sections: These tables can be used for the following information: - **UCClient**: Represents an individual device's record. It contains data such as the device's name, currently installed build, and the OS Edition. Each device has one record in this table. Use this table to get the overall compliance status of your devices. - - To display information for a specific device by Azure AD device ID: + - To display information for a specific device by Azure AD device ID:
`UCClient where AzureADDeviceId contains "01234567-89ab-cdef-0123-456789abcdef"` - - To display all device records for devices running any Windows 11 OS version: + - To display all device records for devices running any Windows 11 OS version:
`UCClient | where OSVersion contains "Windows 11"` - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. - - To find device records for devices that determined the March 14,2023 update was applicable: + - To find device records for devices that determined the March 14,2023 update was applicable:
`UCClientUpdateStatus | where UpdateCategory =="WindowsQualityUpdate" and UpdateReleaseTime == "3/14/2023"` - - To display devices that are in the restart required substate: + - To display devices that are in the restart required substate:
`UCClientUpdateStatus |where ClientSubstate =="RestartRequired"` - **UCUpdateAlert**: Use this table to understand update failures and act on devices through alert recommendations. This table contains information that needs attention, relative to one device, one update and one deployment (if relevant). From c2c62c169230c4d47d29eb7694a0d04b558c3378 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Apr 2023 15:18:18 -0700 Subject: [PATCH 16/41] edits --- .../deployment/update/wufb-reports-workbook.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 53396697ce..5b105b160c 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -48,7 +48,7 @@ Each of these tiles contains an option to **View details**. When **View details* | Tile name | Description | View details description | |---|---|------| | **Enrolled devices** | Total number of devices that are enrolled into Windows Update for Business reports | Displays multiple charts about the operating systems (OS) for enrolled devices:
**OS Version**
**OS Edition**
**OS Servicing Channel**
**OS Architecture**| -|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each.

Select the count of **Devices** to display a table of the devices. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).

Select an **AlertSubtype** to display a list containing:
- Each **Error Code** in the alert subtype
- A **Description** of the error code
- A **Recommendation** to help you remediate the error code
- A count of **Devices** with the specific error code | +|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each.

Select the count of **Devices** to display a table of the devices. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).

Select an **AlertSubtype** to display a list containing:
- Each **Error Code** in the alert subtype
- A **Description** of the error code
- A **Recommendation** to help you remediate the error code
- A count of **Devices** with the specific error code | | **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items:
- **Windows 11 Readiness Status** chart
- **Readiness Reason(s) Breakdown** chart that displays Windows 11 requirements that aren't met.
- A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. | ### Summary tab charts @@ -70,7 +70,7 @@ The **Quality updates** tab displays generalized data at the top by using tiles. - **Missing multiple security updates**: Count of devices that are missing two or more security updates. - **Active alerts**: Count of active update and device alerts for quality updates. -Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). +Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end users are impacted. @@ -90,7 +90,7 @@ The **Update deployment status** table displays the quality updates for each ope |---|---|---| |**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. | **KB Number** | KB number for the update | Selecting the KB number will open the support information webpage for the update.| -| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | +| **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | ### Device status group for quality updates @@ -100,7 +100,7 @@ The **Device status** group for quality updates contains the following items: - **Target version**: Chart containing how many devices by operating system version that are getting security updates. - **Device alerts**: Chart containing the count of active device errors and warnings for quality updates. - **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices. - - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + - This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). ## Feature updates tab @@ -111,7 +111,7 @@ The **Feature updates** tab displays generalized data at the top by using tiles. - **Nearing EOS** Count of devices that are within 18 months of their end of service date. - **Active alerts**: Count of active update and device alerts for feature updates. -Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). +Just like the [**Quality updates** tab](#quality-updates-tab), the **Feature updates** tab is also subdivided into **Update status** and **Device status** groups below the tiles. Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). ### Update status group for feature updates @@ -127,7 +127,7 @@ The **Update status** group for feature updates contains the following items: |---|---|---| | **Total progress** | Percentage of devices that installed the targeted operating system version feature update within the last 30 days. | A bar graph is included in this column. Use the **Total devices** drill-in for additional information. | |**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. | -| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | +| **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | ### Device status group for feature updates @@ -136,7 +136,7 @@ The **Device status** group for feature updates contains the following items: - **Windows 11 readiness status**: Chart containing how many devices that have a status of capable, not capable, or unknown for Windows 11 readiness. - **Device alerts**: Count of active device alerts for feature updates in each alert classification. - **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices. - - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + - This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). ## Driver updates tab @@ -147,7 +147,7 @@ The **Driver update** tab provides information on driver and firmware update dep **Total policies**: The total number of deployment polices for driver and firmware updates from [Windows Update for Business deployment service](deployment-service-overview.md) **Active alerts**: Count of active alerts for driver deployments -Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). +Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). :::image type="content" source="media/7539531-wufb-reports-workbook-drivers.png" alt-text="Screenshot of the update status tab for driver updates." lightbox="media/7539531-wufb-reports-workbook-drivers.png"::: @@ -169,7 +169,7 @@ The **Device status** group for driver updates contains the following items: - **Device alerts**: Count of active device alerts for driver updates in each alert classification. - **Device compliance status**: Table containing a list of devices getting a driver update and installation information including active alerts for the devices. - - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). + - This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). ## Delivery Optimization From 2c6e8f6b935f8ee40a2e83bfc54992af67359a82 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 25 Apr 2023 15:24:04 -0700 Subject: [PATCH 17/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 8cbf8aaaf3..4808f56b72 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -118,7 +118,7 @@ sections: `UCClient | where OSVersion contains "Windows 11"` - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. - - To find device records for devices that determined the March 14,2023 update was applicable:
+ - To find device records for devices that determined the March 14, 2023 update was applicable:
`UCClientUpdateStatus | where UpdateCategory =="WindowsQualityUpdate" and UpdateReleaseTime == "3/14/2023"` - To display devices that are in the restart required substate:
`UCClientUpdateStatus |where ClientSubstate =="RestartRequired"` From 04283c2235f05a985104a415e90f6395eff553f5 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 8 May 2023 08:27:41 -0700 Subject: [PATCH 18/41] wufbr-faq-7760853: --- windows/deployment/update/wufb-reports-faq.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 4808f56b72..9b8140cf5d 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -11,7 +11,7 @@ metadata: ms.technology: itpro-updates title: Frequently Asked Questions about Windows Update for Business reports summary: | - This article answers frequently asked questions about Windows Update for Business reports. + This article answers frequently asked questions about Windows Update for Business reports. **General questions**: @@ -31,6 +31,7 @@ summary: | - [Why is the device name null(#)?](#why-is-the-device-name-null---) - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) + - [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device) - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) @@ -104,6 +105,9 @@ sections: - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. + - question: Why are there multiple records for the same device? + answer: | + Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with with different update states, at various times over the past 28 days. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. From e787dabe5046129e31189a10de7e217eeaa52b3c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 8 May 2023 08:34:07 -0700 Subject: [PATCH 19/41] wufbr-faq-7760853 --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 9b8140cf5d..c4d82b9146 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -107,7 +107,7 @@ sections: - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: Why are there multiple records for the same device? answer: | - Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with with different update states, at various times over the past 28 days. + Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. From 3ccfeb71015430c12f2e5dfc10452d0b81781fa2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 11:07:29 -0700 Subject: [PATCH 20/41] edits with do --- windows/deployment/update/wufb-reports-faq.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index c4d82b9146..1e96b441a3 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -46,7 +46,9 @@ summary: | - [How can I see data for device in the office vs. out of the office?](#how-can-i-see-data-for-device-in-the-office-vs--out-of-the-office) - [What does the data in UCDOStatus table represent?](#what-does-the-data-in-ucdostatus-table-represent) - [What does the data in UCDOAggregatedStatus table represent?](#what-does-the-data-in-ucdoaggregatedstatus-table-represent) - - [How are the calculations for Delivery Optimization done?](#how-are-the-calculations-for-delivery-optimization-done) + - [How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?](#how-are-bytesfromcache-calculated-when-there-s-a-connected-cache-server-used-by-my-isp) + - [How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?](#how-do-the-results-from-the-delivery-optimization-powershell-cmdlets-compare-to-the-results-in-the-report?) + - [The report represents the last 28 days of data, why do some queries include >= seven days?](#the-report-represents-the-last-28-days-of-data--why-do-some-queries-include---seven-days) sections: - name: General @@ -152,7 +154,7 @@ sections: questions: - question: What time period does the Delivery Optimization data include? answer: | - Data is available for the last 28 days. + Data is aggregated for the last 28 days for active devices. - question: Data is showing as 'Unknown', what does that mean? answer: | You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. @@ -161,7 +163,7 @@ sections: The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). - question: The GroupIDs don't look familiar, why are they different? answer: | - The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. + The GroupID values are encoded for data protection requirements. For more information, see [Mapping GroupIDs](wufb-reports-do.md#mapping-groupid). - question: How can I see data for device in the office vs. out of the office? answer: | Today, we don't have a distinction for data that was downloaded by location. @@ -171,6 +173,12 @@ sections: - question: What does the data in UCDOAggregatedStatus table represent? answer: | A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). - - question: How are the calculations for Delivery Optimization done? + - question: How are BytesFromCache calculated when there's a Connected Cache server used by my ISP? answer: | - Volume from the CDN is calculated by subtracting the number bytes that came from the cache server: BytesFromCDN = BytesFromCDN - BytesFromEnterpriseCache + If there's a Connected Cache server at the ISP level, BytesFromCache filters out any bytes coming the ISP's Connected Cache. + - question: How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report? + answer: | + [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization telemetry events. + - question: The report represents the last 28 days of data, why do some queries include >= seven days? + answer: | + The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics and show the latest snapshot. \ No newline at end of file From 12a4d2a883c2704e7e5f41a3a3cf867f5d526103 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 13:36:19 -0700 Subject: [PATCH 21/41] edits --- .../deployment/update/wufb-reports-faq.yml | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 1e96b441a3..534421bd42 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Update for Business reports. ms.prod: windows-client ms.topic: faq - ms.date: 04/26/2023 + ms.date: 06/15/2023 manager: aaroncz author: mestew ms.author: mstewart @@ -18,6 +18,7 @@ summary: | - [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports) - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) - [What Windows versions are supported?](#what-windows-versions-are-supported) + - [What kind of security and compliance policies does Windows Update for Business reports follow?](#what-kind-of-security-and-compliance-policies-does-windows-update-for-business-reports-follow) **Setup questions**: @@ -47,8 +48,8 @@ summary: | - [What does the data in UCDOStatus table represent?](#what-does-the-data-in-ucdostatus-table-represent) - [What does the data in UCDOAggregatedStatus table represent?](#what-does-the-data-in-ucdoaggregatedstatus-table-represent) - [How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?](#how-are-bytesfromcache-calculated-when-there-s-a-connected-cache-server-used-by-my-isp) - - [How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?](#how-do-the-results-from-the-delivery-optimization-powershell-cmdlets-compare-to-the-results-in-the-report?) - - [The report represents the last 28 days of data, why do some queries include >= seven days?](#the-report-represents-the-last-28-days-of-data--why-do-some-queries-include---seven-days) + - [How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?](#how-do-the-results-from-the-delivery-optimization-powershell-cmdlets-compare-to-the-results-in-the-report) + - [The report represents the last 28 days of data, why do some queries include >= seven days?](#the-report-represents-the-last-28-days-of-data--why-do-some-queries-include----seven-days) sections: - name: General @@ -63,6 +64,9 @@ sections: - question: What Windows versions are supported? answer: | Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions. + + - name: Setup questions + questions: - question: How do you setup Windows Update for Business reports? answer: | After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. @@ -76,9 +80,7 @@ sections: 1. Configure the clients to send data to Windows Update for Business reports. You can configure clients in the following three ways: - Use a [script](wufb-reports-configuration-script.md) - Use [Microsoft Intune](wufb-reports-configuration-intune.md) - - Configure [manually](wufb-reports-configuration-manual.md) - - name: Setup issues - questions: + - Configure [manually](wufb-reports-configuration-manual.md) - question: Why is `Waiting for Windows Update for Business reports data` displayed on the page? answer: | Typically, the **Waiting for Windows Update for Business reports data** message is displayed because: @@ -99,6 +101,7 @@ sections: - CSP: [System/AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata) - Group Policy: Allow device name to be sent in Windows diagnostic data - Located in **Computer Configuration** > **Administrative Templates** > **Windows Components** >**Data Collection and Preview Builds** + It can take up to 21 days for all device names to show in up in reports assuming they are powered on and active. - question: Why am I missing devices in reports? answer: | Here are some reasons why you may not be seeing devices in reports: @@ -109,10 +112,10 @@ sections: - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: Why are there multiple records for the same device? answer: | - Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. + Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed. - question: What is the difference between OS version and target version? answer: | - The word *target* in data labels refers to the update version, build or KB the client is actively being updated to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. + The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables? answer: | These tables can be used for the following information: @@ -123,7 +126,7 @@ sections: - To display all device records for devices running any Windows 11 OS version:
`UCClient | where OSVersion contains "Windows 11"` - - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. + - **UCClientUpdateStatus**: Contains records for every update the device determined was applicable. There can be multiple records for a device if it's discovered multiple applicable updates in the past 60 days. Use this table if you want to get detailed update status for your active deployments. There will typically be 3 update status records per device for the latest 3 security updates. - To find device records for devices that determined the March 14, 2023 update was applicable:
`UCClientUpdateStatus | where UpdateCategory =="WindowsQualityUpdate" and UpdateReleaseTime == "3/14/2023"` - To display devices that are in the restart required substate:
From c1e99c5eb4fe302a39094a7c815ff81a9c2cd0a8 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 13:49:06 -0700 Subject: [PATCH 22/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 534421bd42..38f5bf26ce 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -18,7 +18,6 @@ summary: | - [What is Windows Update for Business reports?](#what-is-windows-update-for-business-reports) - [Is Windows Update for Business reports free?](#is-windows-update-for-business-reports-free) - [What Windows versions are supported?](#what-windows-versions-are-supported) - - [What kind of security and compliance policies does Windows Update for Business reports follow?](#what-kind-of-security-and-compliance-policies-does-windows-update-for-business-reports-follow) **Setup questions**: From 5521628c63aee857b3c7f52f9bb9778aa964bfd3 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:43:13 -0700 Subject: [PATCH 23/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 38f5bf26ce..4611ae7777 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -85,7 +85,8 @@ sections: Typically, the **Waiting for Windows Update for Business reports data** message is displayed because: - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. - The initial enrollment may not be complete yet. - - It's possible that devices aren't sharing data. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + - It's possible that devices aren't sharing data. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it will take another 24-48 hours for the enrollment to complete. If the issue persists, contact support. - question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?" answer: | A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly. From 6d653fe21da39deeba0d076ec86ecd1e36969bdb Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:43:28 -0700 Subject: [PATCH 24/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 4611ae7777..cd3155969c 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -86,7 +86,7 @@ sections: - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. - The initial enrollment may not be complete yet. - It's possible that devices aren't sharing data. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it will take another 24-48 hours for the enrollment to complete. If the issue persists, contact support. + If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it will take another 24-48 hours for the enrollment to complete. If the issue persists, [contact support](wufb-reports-help.md). - question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?" answer: | A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly. From d8847234351206c7395eded14bb6ccba7397dedc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:51:40 -0700 Subject: [PATCH 25/41] edits --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index cd3155969c..e91ab264be 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -107,7 +107,7 @@ sections: Here are some reasons why you may not be seeing devices in reports: - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script]((wufb-reports-configuration-script.md) on devices to ensure they're configured properly. + - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: Why are there multiple records for the same device? From 63f842dd9d9f125d0a6fca25f40a585eef8b046e Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 15:05:50 -0700 Subject: [PATCH 26/41] edits --- .../deployment/update/wufb-reports-faq.yml | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index e91ab264be..ca9768c281 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -21,7 +21,7 @@ summary: | **Setup questions**: - - [How do you setup Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) + - [How do you set up Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) @@ -32,10 +32,10 @@ summary: | - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device) - - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) + - [When should I use the `UCClient`, `UCClientUpdateStatus`, or `UCUpdateAlert` tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) + - [Why isn't the workbook displaying data even though my `UCClient` table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) **Delivery Optimization data**: @@ -59,14 +59,14 @@ sections: - question: Is Windows Update for Business reports free? answer: | Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge. - Data retained beyond these no-charge periods will be charged for each GB of data retained for a month, pro-rated daily. For more information, see **Log Data Retention** in [Azure Monitor pricing](https://azure.microsoft.com/en-us/pricing/details/monitor/#pricing). + Data retained beyond these no-charge periods are charged for each GB of data retained for a month, pro-rated daily. For more information, see **Log Data Retention** in [Azure Monitor pricing](https://azure.microsoft.com/en-us/pricing/details/monitor/#pricing). - question: What Windows versions are supported? answer: | Windows Update for Business reports supports clients running a [supported version of Windows 10 or Windows 11](/windows/release-health/supported-versions-windows-client) Professional, Education, Enterprise, and Enterprise multi-session editions. Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions. - name: Setup questions questions: - - question: How do you setup Windows Update for Business reports? + - question: How do you set up Windows Update for Business reports? answer: | After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up Windows Update for Business reports are: @@ -86,7 +86,7 @@ sections: - You may not have the correct [permissions](wufb-reports-prerequisites.md#permissions) to display the data. - The initial enrollment may not be complete yet. - It's possible that devices aren't sharing data. If you received a successful save message during enrollment but still haven't seen any data after 48 hours, try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it will take another 24-48 hours for the enrollment to complete. If the issue persists, [contact support](wufb-reports-help.md). + If you've verified the above items, but still aren't seeing data, you can unenroll then re-enroll. However, it takes another 24-48 hours for the enrollment to complete. If the issue persists, [contact support](wufb-reports-help.md). - question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?" answer: | A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly. @@ -100,8 +100,7 @@ sections: If you're seeing the device ID but not the device name, it's possible that the required policy for displaying the device name isn't set on the client. Ensure clients have the policy configured. - CSP: [System/AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata) - Group Policy: Allow device name to be sent in Windows diagnostic data - - Located in **Computer Configuration** > **Administrative Templates** > **Windows Components** >**Data Collection and Preview Builds** - It can take up to 21 days for all device names to show in up in reports assuming they are powered on and active. + - Located in **Computer Configuration** > **Administrative Templates** > **Windows Components** >**Data Collection and Preview Builds**. It can take up to 21 days for all device names to show in up in reports assuming they're powered on and active. - question: Why am I missing devices in reports? answer: | Here are some reasons why you may not be seeing devices in reports: @@ -109,14 +108,14 @@ sections: - **The device isn't enrolled with Azure Active Directory**: A [prerequisite](wufb-reports-prerequisites.md#azure-and-azure-active-directory) for devices is that they're either [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid). - **The device isn't sending data**: It's possible devices aren't sharing data due to a policy being incorrectly configured or a proxy or firewall configuration. Try using the [configuration script](wufb-reports-configuration-script.md) on devices to ensure they're configured properly. - **The device isn't active enough**: Clients must be active and connected to the internet to scan against Microsoft Update. Ensure devices are powered on and have been active at least once in the past 28 days. - - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. + - **The workbook has limited the results**: The default limit for rows in Azure workbooks is set to 1000. This limit is to avoid any delay in the load time for the interface. If you noticed that you can't find a specific device, you can export the output in Excel, or open the results in the logs view for the full result by selecting the three dots beside each component. - question: Why are there multiple records for the same device? answer: | - Devices will have multiple records when the UCClientUpdateStatus or UCClientServiceStatus tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed. + Devices have multiple records when the `UCClientUpdateStatus` or `UCClientServiceStatus` tables are queried. These tables contain multiple records because they have the history for all devices that have discovered applicable updates within the past 28 days. For example, it's possible that a device has discovered multiple security updates, each with different update states, at various times over the past 28 days. It's also possible that a device can be in multiple deployments, so multiple records are displayed. - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. - - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables? + - question: When should I use the `UCClient`, `UCClientUpdateStatus`, or `UCUpdateAlert` tables? answer: | These tables can be used for the following information: @@ -139,7 +138,7 @@ sections: `UCUpdateAlert |where AlertStatus =="Active"|summarize Devices=count() by AlertSubtype` - question: What is the difference between quality and security updates? answer: | - Windows quality updates are monthly updates that are [released on the second or fourth Tuesday of the month](release-cycle.md). The cumulative updates released on the second Tuesday of the month can contain both security updates and non-security updates. Cumulative updates released on the fourth Tuesday of the month are optional non-security preview releases. Use the fields within the [UCClient table](wufb-reports-schema-ucclient.md) for additional information, such as: + Windows quality updates are monthly updates that are [released on the second or fourth Tuesday of the month](release-cycle.md). The cumulative updates released on the second Tuesday of the month can contain both security updates and nonsecurity updates. Cumulative updates released on the fourth Tuesday of the month are optional nonsecurity preview releases. Use the fields within the [UCClient table](wufb-reports-schema-ucclient.md) for additional information, such as: - **OSSecurityUpdateStatus**: Indicates the status of the monthly update that's released on the second Tuesday - **OSQualityUpdateStatus**: Indicates the status of the monthly update that's released on the fourth Tuesday @@ -181,7 +180,7 @@ sections: If there's a Connected Cache server at the ISP level, BytesFromCache filters out any bytes coming the ISP's Connected Cache. - question: How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report? answer: | - [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization telemetry events. + [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization events. - question: The report represents the last 28 days of data, why do some queries include >= seven days? answer: | - The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics and show the latest snapshot. \ No newline at end of file + The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot. \ No newline at end of file From 3a3c7d8b8eba4cd1c4d1aa03257d75c55b722614 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 15:10:35 -0700 Subject: [PATCH 27/41] formatting --- windows/deployment/update/wufb-reports-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index ca9768c281..c719568676 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -32,10 +32,10 @@ summary: | - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device) - - [When should I use the `UCClient`, `UCClientUpdateStatus`, or `UCUpdateAlert` tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) + - [When should I use the **UCClient**, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - - [Why isn't the workbook displaying data even though my `UCClient` table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) + - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) **Delivery Optimization data**: From 9adc773faecc60dc802f3ad0206fcdfe63f2669d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 12 Jun 2023 15:19:31 -0700 Subject: [PATCH 28/41] formatting --- windows/deployment/update/wufb-reports-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index c719568676..f1bc118200 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -21,7 +21,7 @@ summary: | **Setup questions**: - - [How do you set up Windows Update for Business reports?](#how-do-you-setup-windows-update-for-business-reports) + - [How do you set up Windows Update for Business reports?](#how-do-you-set-up-windows-update-for-business-reports) - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) @@ -32,7 +32,7 @@ summary: | - [Why am I missing devices in reports?](#why-am-i-missing-devices-in-reports) - [What is the difference between OS version and target version?](#what-is-the-difference-between-os-version-and-target-version) - [Why are there multiple records for the same device?](#why-are-there-multiple-records-for-the-same-device) - - [When should I use the **UCClient**, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) + - [When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables?](#when-should-i-use-the-ucclient--ucclientupdatestatus--or-ucupdatealert-tables) - [What is the difference between quality and security updates?](#what-is-the-difference-between-quality-and-security-updates) - [How do I confirm that devices are sending data?](#how-do-i-confirm-that-devices-are-sending-data) - [Why isn't the workbook displaying data even though my UCClient table has data?](#why-isn-t-the-workbook-displaying-data-even-though-my-ucclient-table-has-data) @@ -115,7 +115,7 @@ sections: - question: What is the difference between OS version and target version? answer: | The word *target* in data labels refers to the update version, build or KB the client intends to update to. Typically, the fields starting with *OS*, such as OSbuild and OSversion, represents what the device is currently running. - - question: When should I use the `UCClient`, `UCClientUpdateStatus`, or `UCUpdateAlert` tables? + - question: When should I use the UCClient, UCClientUpdateStatus, or UCUpdateAlert tables? answer: | These tables can be used for the following information: From f9f594b665061a2d60cbf9db839efb9b08f5763d Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 19 Jun 2023 12:07:49 +0200 Subject: [PATCH 29/41] Update vpnv2-csp.md Rephrasing unclear Notes in ProtocolList --- windows/client-management/mdm/vpnv2-csp.md | 24 ++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 1c089a6ce5..59a2c2d1e1 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -2768,8 +2768,10 @@ Required for native profiles. Type of tunneling protocol used. -> [!NOTE] -> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter. +> [!NOTE] +> For a Device Tunnel, use IKEv2 only. +> For a User Tunnel, any value is allowed. +> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter. @@ -2899,8 +2901,10 @@ List of inbox VPN protocols in priority order. -> [!NOTE] -> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples). +> [!NOTE] +> For a User Tunnel up to 4 VPN protocols are supported. +> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples). +> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList. @@ -7004,8 +7008,10 @@ Required for native profiles. Type of tunneling protocol used. -> [!NOTE] -> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter. +> [!NOTE] +> For a Device Tunnel, use IKEv2 only. +> For a User Tunnel, any value is allowed. +> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter. @@ -7135,8 +7141,10 @@ List of inbox VPN protocols in priority order. -> [!NOTE] -> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples). +> [!NOTE] +> For a User Tunnel up to 4 VPN protocols are supported. +> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples). +> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList. From 1f2d288daca156a46b68a2b76723200e632accd2 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 19 Jun 2023 07:29:55 -0400 Subject: [PATCH 30/41] updated group policy recommendations for firewall --- windows/security/breadcrumb/toc.yml | 18 ----------- windows/security/context/context.yml | 4 --- .../best-practices-configuring.md | 30 +++++++++++++++++++ 3 files changed, 30 insertions(+), 22 deletions(-) delete mode 100644 windows/security/breadcrumb/toc.yml delete mode 100644 windows/security/context/context.yml diff --git a/windows/security/breadcrumb/toc.yml b/windows/security/breadcrumb/toc.yml deleted file mode 100644 index 19748bed13..0000000000 --- a/windows/security/breadcrumb/toc.yml +++ /dev/null @@ -1,18 +0,0 @@ -items: -- name: Docs - tocHref: / - topicHref: / - items: - - name: Windows - tocHref: /windows/ - topicHref: /windows/resources/ - items: - - name: Security - tocHref: /windows-server/security/credentials-protection-and-management/ - topicHref: /windows/security/ - - name: Security - tocHref: /windows-server/identity/laps/ - topicHref: /windows/security/ - - name: Security - tocHref: /azure/active-directory/authentication/ - topicHref: /windows/security/ diff --git a/windows/security/context/context.yml b/windows/security/context/context.yml deleted file mode 100644 index aa53a529eb..0000000000 --- a/windows/security/context/context.yml +++ /dev/null @@ -1,4 +0,0 @@ -### YamlMime: ContextObject -brand: windows -breadcrumb_path: ../breadcrumb/toc.yml -toc_rel: ../toc.yml \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 1214df4042..dbe9384925 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -143,6 +143,36 @@ In general, to maintain maximum security, admins should only push firewall excep > [!NOTE] > The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s). +## Understand Group Policy Processing + +The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* perfoms the following actions: + +- Reads all firewall rules and settings +- Applies any new filters +- Removes the old filters + +> [!NOTE] +> The actions are triggered regardless if there's a configuration change. During the process, IPsec connections are disconnected. + +Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default. + +If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during every background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like: + +- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies +- Local Firewall settings are applied instead of group policy settings +- IPsec connections cannot establish + +The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller. + +To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*. + +> [!IMPORTANT] +> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change. +> +> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**. + ## Know how to use "shields up" mode for active attacks An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. From 5efa9801ee8b85ef4165f6fb5dc0e5d5ef47a55e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 19 Jun 2023 08:10:24 -0400 Subject: [PATCH 31/41] new q/a --- education/windows/windows-11-se-faq.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml index d03213a9d3..52fa4c5d69 100644 --- a/education/windows/windows-11-se-faq.yml +++ b/education/windows/windows-11-se-faq.yml @@ -33,6 +33,9 @@ sections: - question: Can I load Windows 11 SE on any hardware? answer: | Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - question: Can I PXE boot a Windows SE device? + answer: | + No, Secure Boot prevents Windows SE devices from booting via PXE. As a workaround, you can use a UEFI bootable USB device to boot the device. - name: Applications and settings questions: - question: How can I install applications on Windows 11 SE? From 4e74e3d2ef6f663bc15977cc74fa8587b35c9ed0 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 19 Jun 2023 10:47:02 -0500 Subject: [PATCH 32/41] Made Acrolinx revisions. --- windows/client-management/mdm/vpnv2-csp.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 59a2c2d1e1..7a13d3b3fc 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1090,7 +1090,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe -Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. +Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication. @@ -1222,7 +1222,7 @@ First, it automatically becomes an always on profile. Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect. -Third, no other Device Tunnel profile maybe be present on the same machine. +Third, no other Device Tunnel profile may be present on the same machine. A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. @@ -1587,7 +1587,7 @@ Boolean to determine whether this domain name rule will trigger the VPN. -Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. +Comma Separated list of IP addresses for the DNS Servers to use for the domain name. @@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet -Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. +Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. @@ -3036,7 +3036,7 @@ Default 168, max 500000. -RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol. +RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol. @@ -3119,7 +3119,7 @@ Type of routing policy. -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. @@ -5387,7 +5387,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe -Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. +Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication. @@ -5827,7 +5827,7 @@ Boolean to determine whether this domain name rule will trigger the VPN. -Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. +Comma Separated list of IP addresses for the DNS Servers to use for the domain name. @@ -6032,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet -Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. +Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. @@ -7276,7 +7276,7 @@ Default 168, max 500000. -RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol. +RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol. @@ -7359,7 +7359,7 @@ Type of routing policy. -Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. From c825db2edc4db80fbfd7b8ebc0baba2328b7c364 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Mon, 19 Jun 2023 12:57:16 -0300 Subject: [PATCH 33/41] fixed spelling error --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index dbe9384925..252378807c 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -147,7 +147,7 @@ In general, to maintain maximum security, admins should only push firewall excep The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes. -When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* perfoms the following actions: +When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* performs the following actions: - Reads all firewall rules and settings - Applies any new filters From d652b66a4526d1499092911f1dfc7d723b1c0fb7 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 19 Jun 2023 10:48:44 -0700 Subject: [PATCH 34/41] edit 400 message --- windows/deployment/update/wufb-reports-faq.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index f1bc118200..252e180f44 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -24,7 +24,6 @@ summary: | - [How do you set up Windows Update for Business reports?](#how-do-you-set-up-windows-update-for-business-reports) - [Why is "Waiting for Windows Update for Business reports data" displayed on the page](#why-is--waiting-for-windows-update-for-business-reports-data--displayed-on-the-page) - [Why am I getting the error "400 Bad Request: The specified resource already exists"?](#why-am-i-getting-the-error--400-bad-request--the-specified-resource-already-exists-) - - [Why am I getting the error "400 Bad Request: Identifier must be GUID"?](#why-am-i-getting-the-error--400-bad-request--identifier-must-be-guid-) **Questions about using Windows Update for Business reports**: @@ -90,9 +89,6 @@ sections: - question: "Why am I getting the error `400 Bad Request: The specified resource already exists`?" answer: | A `400 Bad Request: The specified resource already exists` error message indicates that the service already has a subscription and workspace mapping saved. If you're trying to re-enroll with the same configuration settings, wait a few minutes, then refresh the page before saving your subscription and workspace again. Sometimes it can take time to register the save, so it's important to not re-enroll too quickly. - - question: "Why am I getting the error `400 Bad Request: Identifier must be GUID`?" - answer: | - The `400 Bad Request: Identifier must be GUID` error message indicates that you've provided an invalid or incorrect value for the resource connection ID when making a request to the Log Analytics API. Ensure that the resource group within your Azure subscription is a valid GUID (Globally Unique Identifier). - name: Using Windows Update for Business reports questions: - question: Why is the device name null(#)? From 2a3a41b75c286b0e4201c6e74e6a7ab01e463745 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 19 Jun 2023 10:51:02 -0700 Subject: [PATCH 35/41] metadata --- windows/deployment/update/wufb-reports-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 252e180f44..98ba761d81 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Update for Business reports. ms.prod: windows-client ms.topic: faq - ms.date: 06/15/2023 + ms.date: 06/20/2023 manager: aaroncz author: mestew ms.author: mstewart From a2293c95b509bfd11792f3295a9c9d43f3776e29 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Tue, 20 Jun 2023 09:54:49 +0200 Subject: [PATCH 36/41] Update best-practices-configuring.md Adding some details to the Note --- .../windows-firewall/best-practices-configuring.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md index 252378807c..b156adfef4 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md @@ -147,18 +147,18 @@ In general, to maintain maximum security, admins should only push firewall excep The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes. -When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* performs the following actions: +Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions: - Reads all firewall rules and settings - Applies any new filters - Removes the old filters > [!NOTE] -> The actions are triggered regardless if there's a configuration change. During the process, IPsec connections are disconnected. +> The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default. -If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during every background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like: +If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during **every** background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like: - Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies - Local Firewall settings are applied instead of group policy settings From 10576d4195a40dd771a9f8bf57f9e1ce2feadf6d Mon Sep 17 00:00:00 2001 From: Samuel Yun Date: Tue, 20 Jun 2023 07:20:42 -0700 Subject: [PATCH 37/41] Update toc.yml - network security --- .../operating-system-security/network-security/toc.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml index c62a6aaad4..f8ef3f19b2 100644 --- a/windows/security/operating-system-security/network-security/toc.yml +++ b/windows/security/operating-system-security/network-security/toc.yml @@ -1,8 +1,10 @@ items: - name: Transport layer security (TLS) 🔗 href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview - - name: WiFi Security + - name: Wi-Fi Security href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09 + - name: Extensible Authentication Protocol (EAP) for network access + href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access - name: Windows Firewall 🔗 href: windows-firewall/windows-firewall-with-advanced-security.md - name: Virtual Private Network (VPN) @@ -14,4 +16,4 @@ items: - name: Server Message Block (SMB) file service 🔗 href: /windows-server/storage/file-server/file-server-smb-overview - name: Server Message Block Direct (SMB Direct) 🔗 - href: /windows-server/storage/file-server/smb-direct \ No newline at end of file + href: /windows-server/storage/file-server/smb-direct From a9294c77992f46ff51367defb6a33c3612f5bfeb Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 20 Jun 2023 10:33:40 -0400 Subject: [PATCH 38/41] Link in VPN auth page --- .../network-security/vpn/vpn-authentication.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 1fc65b4198..cbb238ee6a 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -1,7 +1,7 @@ --- title: VPN authentication options description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. -ms.date: 09/23/2021 +ms.date: 06/20/2023 ms.topic: conceptual --- @@ -9,7 +9,7 @@ ms.topic: conceptual In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). -Windows supports a number of EAP authentication methods. +Windows supports a number of EAP authentication methods. - EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2): - User name and password authentication @@ -71,14 +71,14 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u ## Configure authentication -See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration. +See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration. >[!NOTE] >To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md). The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP). -:::image type="content" source="images/vpn-eap-xml.png" alt-text="EAP XML configuration in Intune profile."::: +:::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile."::: ## Related topics @@ -90,3 +90,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) - [VPN security features](vpn-security-features.md) - [VPN profile options](vpn-profile-options.md) +- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) From dfb0e2eecfcfe6beb1c13341ead4d3ec30c7fde8 Mon Sep 17 00:00:00 2001 From: Sam Yun Date: Tue, 20 Jun 2023 10:36:13 -0400 Subject: [PATCH 39/41] Acrolinx --- .../network-security/vpn/vpn-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index cbb238ee6a..5b8c8be320 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -43,7 +43,7 @@ Windows supports a number of EAP authentication methods. - Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials. - - [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks. + - [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it's possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks. - Tunneled Transport Layer Security (TTLS) - Inner method From 41d9cd98a8b6bed8cbb8c111b710162178891dc4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Jun 2023 10:53:22 -0400 Subject: [PATCH 40/41] Update to PRP recommendations. --- .../hello-hybrid-cloud-kerberos-trust.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 47edfbacd4..c7640d3785 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -32,12 +32,13 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. -When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: +When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerberos* computer object is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers -- Is only used by Azure AD to generate TGTs for the Active Directory domain. +- Is only used by Azure AD to generate TGTs for the Active Directory domain + > [!NOTE] - > The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of the built-in security group *Denied RODC Password Replication Group* won't be able to use cloud Kerberos trust. + > Similar rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server "::: @@ -67,9 +68,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity > [!NOTE] -> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. +> The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. > -> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,`. +> It **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,`. ## Next steps From fe699b196f031300601230c3cad8669df3f80ecf Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 20 Jun 2023 11:00:17 -0400 Subject: [PATCH 41/41] Added more details to recommendation --- .../hello-for-business/hello-hybrid-cloud-kerberos-trust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index c7640d3785..23b6c288e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -38,7 +38,7 @@ When Azure AD Kerberos is enabled in an Active Directory domain, an *AzureADKerb - Is only used by Azure AD to generate TGTs for the Active Directory domain > [!NOTE] - > Similar rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. + > Similar rules and restrictions used for RODCs apply to the AzureADKerberos computer object. For example, users that are direct or indirect members of priviliged built-in security groups won't be able to use cloud Kerberos trust. :::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server "::: @@ -70,7 +70,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud > [!NOTE] > The default *Password Replication Policy* configured on the AzureADKerberos computer object doesn't allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. > -> It **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,`. +> Due to possible attack vectors from Azure AD to Active Directory, it **isn't recommended** to unblock these accounts by relaxing the Password Replication Policy of the computer object `CN=AzureADKerberos,OU=Domain Controllers,`. ## Next steps