From 32b0bf95a948cb1f55a6911997ea5ca235c0fbfc Mon Sep 17 00:00:00 2001 From: Carmen Date: Fri, 13 Oct 2023 12:48:43 -0600 Subject: [PATCH 01/11] Update DO docs --- .../do/waas-delivery-optimization-reference.md | 14 ++++++++++++++ .../deployment/do/waas-delivery-optimization.md | 1 + windows/deployment/update/wufb-reports-do.md | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index a3302aa5c3..b96431fff7 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -48,6 +48,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Monthly upload data cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | Default value is 20 GB. | | [Minimum background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | Recommend setting this to 500 KB/s. Default value is 2500 KB/s. | | [Enable peer caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1709 | Default is to not allow peering while on VPN. | +| [VPN Keywords](#vpn-keywords) | DOVpnKeywords | 22H2 September Moment | Allows you to set one or more keywords used to recognize VPN connections. | +| [Disallow Cache Server Downloads from VPN](#disallow-cache-server-downloads-on-vpn) | DODisallowCacheServerDownloadsOnVPN | 22H2 September Moment | Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. | | [Allow uploads while the device is on battery while under set battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1709 | Default is to not allow peering while on battery. | | [Maximum foreground download bandwidth (percentage)](#maximum-foreground-download-bandwidth) | DOPercentageMaxForegroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | | [Maximum background download bandwidth (percentage)](#maximum-background-download-bandwidth) | DOPercentageMaxBackgroundBandwidth | 1803 | Default is '0' which will dynamically adjust. | @@ -307,6 +309,18 @@ MDM Setting: **DOAllowVPNPeerCaching** This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering isn't allowed, except when the 'Local Discovery' (DNS-SD) option is chosen.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +### VPN Keywords + +MDM Setting: **DOVpnKeywords** + +This policy allows you to set one or more keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at a pre-defined set of VPN names. As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names, which will be recognized by Delivery Optimization and therefore resulting in the expected behavior to help manage peering. + +### Disallow Cache Server Downloads on VPN + +MDM Setting: **DODisallowCacheServerDownloadsOnVPN** + +This policy disallows downloads from Connected Cache servers when the device connects via VPN. **By default, the device is allowed to download from Connected Cache when connected via VPN.** + ### Allow uploads while the device is on battery while under set Battery level MDM Setting: **DOMinBatteryPercentageAllowedToUpload** diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index d16c8dbb78..dcfbe153c3 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -62,6 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | | MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | | +| Teams | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 05cfa795ab..d71d76d0be 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -95,7 +95,7 @@ Each calculated values used in the Delivery Optimization report are listed below ## Mapping GroupID -In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: +In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash and is case sensitive. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell $text = "`0" ; # The `0 null terminator is required From 3eee0549fa3661728c2f9bfe57911751f346407c Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 11:19:10 -0600 Subject: [PATCH 02/11] More additions --- .../deployment/do/waas-delivery-optimization-faq.yml | 1 - .../do/waas-delivery-optimization-reference.md | 12 ++++++------ windows/privacy/manage-windows-11-endpoints.md | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 96509b2f68..92ff9cd2d4 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -51,7 +51,6 @@ sections: **For the payloads (optional)**: - - `*.download.windowsupdate.com` - `*.windowsupdate.com` **For group peers across multiple NATs (Teredo)**: diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index b96431fff7..76133cf655 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -34,7 +34,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | Group Policy setting | MDM setting | Supported from version | Notes | | --- | --- | --- | ------- | -| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that will share content between devices in the group.| +| [Download mode](#download-mode) | DODownloadMode | 1511 | Default is set to LAN(1). The Group [Download mode](#download-mode) (2) combined with [Group ID](#group-id), enables administrators to create custom device groups that share content between devices in the group.| | [Group ID](#group-id) | DOGroupID | 1511 | Used with Group [Download mode](#download-mode). If not set, check [GroupIDSource](#select-the-source-of-group-ids). When GroupID or GroupIDSource policies aren't set, the GroupID is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. | | [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | If not set, check [Group ID](#group-id). When the GroupID or GroupIDSource policies aren't set, the Group is defined as the AD Site (1), Authenticated domain SID (2) or Azure AD Tenant ID (5), in that order. | | [Select a method to restrict peer selection](#select-a-method-to-restrict-peer-selection) | DORestrictPeerSelectionBy | 1803 | Starting in Windows 11, a new option to use 'Local discovery (DNS-SD)' is available to set via this policy. | @@ -176,19 +176,19 @@ MDM Setting: **DOMinDiskSizeAllowedToPeer** This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**. >[!NOTE] ->If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy. +>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check applies to the new working directory specified by this policy. ### Max Cache Age MDM Setting: **DOMaxCacheAge** -In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**. +In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers redownloading content. When "Unlimited" value is set, Delivery Optimization holds the files in the cache longer and cleans up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**. ### Max Cache Size MDM Setting: **DOMaxCacheSize** -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization uses up to 10 GB of that space. Delivery Optimization constantly assesses the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20%**. ### Absolute Max Cache Size @@ -207,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C MDM Setting: **DOMaxUploadBandwidth** Deprecated in Windows 10, version 2004. -This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. +This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used. ### Maximum Foreground Download Bandwidth @@ -257,7 +257,7 @@ MDM Setting: **DORestrictPeerSelectionBy** Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11, the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there's no peering between subnets. -If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). +If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID). The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 79bba0d70f..229303a26c 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization](../deployment/update/wufb-reports-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| From 1091c060ffaf96e47e118ec802faf19fc0740366 Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 15:11:42 -0600 Subject: [PATCH 03/11] Fix link --- windows/privacy/manage-windows-11-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 229303a26c..41b8d6a06f 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization](../deployment/update/wufb-reports-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| From 2b37b714afb6e7652c91d1a074f0b83cc72824c0 Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 15:55:34 -0600 Subject: [PATCH 04/11] Fix link --- windows/privacy/manage-windows-11-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 41b8d6a06f..12374dab54 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| From 9386cd9cb2f6fdc063cc795f96f6e0e5a1053071 Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 16:09:47 -0600 Subject: [PATCH 05/11] Fix link --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 37bfca7312..f3843b3842 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -33,7 +33,7 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat ## Allow service endpoints -When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization). +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization). ## Allow content endpoints From 8fd4f7b392647a6464a60ad32f5ac7f63d92f67b Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 16:17:28 -0600 Subject: [PATCH 06/11] fix links --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- windows/privacy/manage-windows-11-endpoints.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index f3843b3842..37bfca7312 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -33,7 +33,7 @@ Starting with Microsoft Intune version 1902, you can set many Delivery Optimizat ## Allow service endpoints -When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization). +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization). ## Allow content endpoints diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 12374dab54..41b8d6a06f 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| From 04d8654011a3931524918cdc1fa12de5041cbde1 Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 16:22:54 -0600 Subject: [PATCH 07/11] And again with the link --- windows/privacy/manage-windows-11-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 41b8d6a06f..12374dab54 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com| From 7e9f82f00b667707fd381668bb05470322ca434e Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 16:40:03 -0600 Subject: [PATCH 08/11] New settings to what's new --- windows/deployment/do/whats-new-do.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 050b3310f5..48a01fcf35 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -32,8 +32,11 @@ There are two different versions: ## New in Delivery Optimization for Windows -- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2. +### Windows 11 22H2 +- New setting: Customize Vpn detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your Vpn. By using the new VpnKeywords configuration you can add keywords for Delivery Optimization to use when detecting a Vpn when in use. You can find this configuration in Group Policy or MDM under 'DOVpnKeywords'. +- New setting: Use the disallow downloads from a connected cache server, when a Vpn is detected and you want to prevent the download from the connected cache server. You can find this configuration in Group Policy or MDM under 'DODisallowCacheServerDownloadsOnVPN'. +- Delivery Optimization introduced support for receiver side ledbat (rLedbat). - New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID). From 5330268bc93cb2c4aeae5e7aae60885f8087a187 Mon Sep 17 00:00:00 2001 From: Carmen Date: Mon, 16 Oct 2023 17:04:41 -0600 Subject: [PATCH 09/11] More details to what's new page --- windows/deployment/do/whats-new-do.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 48a01fcf35..7c18691ae6 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -34,11 +34,10 @@ There are two different versions: ### Windows 11 22H2 -- New setting: Customize Vpn detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your Vpn. By using the new VpnKeywords configuration you can add keywords for Delivery Optimization to use when detecting a Vpn when in use. You can find this configuration in Group Policy or MDM under 'DOVpnKeywords'. -- New setting: Use the disallow downloads from a connected cache server, when a Vpn is detected and you want to prevent the download from the connected cache server. You can find this configuration in Group Policy or MDM under 'DODisallowCacheServerDownloadsOnVPN'. +- New setting: Customize vpn detection by choosing custom keywords. Now, you don't have to rely on Delivery Optimization keywords to detect your Vpn. By using the new VpnKeywords configuration you can add keywords for Delivery Optimization to use when detecting a Vpn when in use. You can find this configuration **[VPN Keywords](waas-delivery-optimization-reference.md#vpn-keywords)** in Group Policy or MDM under **DOVpnKeywords**. +- New setting: Use the disallow downloads from a connected cache server, when a Vpn is detected and you want to prevent the download from the connected cache server. You can find this configuration **[Disallow download from MCC over VPN](waas-delivery-optimization-reference.md#disallow-cache-server-downloads-on-vpn) in Group Policy or MDM under **DODisallowCacheServerDownloadsOnVPN**. - Delivery Optimization introduced support for receiver side ledbat (rLedbat). -- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)." -- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID). +- New setting: Local Peer Discovery, a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** in Group Policy or MDM **DORestrictPeerSelectionBy**. This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID).Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). > [!NOTE] > The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). From c64c9ab722dc255b1cc12779b2bc57089a8f3ebb Mon Sep 17 00:00:00 2001 From: Carmen Date: Wed, 18 Oct 2023 12:19:01 -0600 Subject: [PATCH 10/11] Address comments --- .../deployment/do/waas-delivery-optimization-reference.md | 8 ++++---- windows/deployment/do/waas-delivery-optimization.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 76133cf655..410e9a4598 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -303,7 +303,7 @@ MDM Setting: **DOMonthlyUploadDataCap** This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.** -### Enable Peer Caching while the device connects via VPN +### Enable peer caching while the device connects via VPN MDM Setting: **DOAllowVPNPeerCaching** @@ -313,13 +313,13 @@ This setting determines whether a device will be allowed to participate in Peer MDM Setting: **DOVpnKeywords** -This policy allows you to set one or more keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at a pre-defined set of VPN names. As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names, which will be recognized by Delivery Optimization and therefore resulting in the expected behavior to help manage peering. +This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names to meet the needs of individual environments. -### Disallow Cache Server Downloads on VPN +### Disallow cache server downloads on VPN MDM Setting: **DODisallowCacheServerDownloadsOnVPN** -This policy disallows downloads from Connected Cache servers when the device connects via VPN. **By default, the device is allowed to download from Connected Cache when connected via VPN.** +This policy disallows downloads from Connected Cache servers when the device connects via VPN. **By default, the device is allowed to download from Connected Cache when connected via VPN.** Set this policy if you prefer devices to download directly from the Internet when connected remotely (via VPN) instead of pulling from a Microsoft Connected Cache server deployed on your corporate network. ### Allow uploads while the device is on battery while under set Battery level diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index dcfbe153c3..010894a61d 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -62,7 +62,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | | Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | | MSIX Installer| Windows 10 2004, Windows 11 | :heavy_check_mark: | | | -| Teams | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | +| Teams (via MSIX Installer) | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server From 5374e690993af2f12386d1520e9a82b90106c8df Mon Sep 17 00:00:00 2001 From: Carmen Date: Wed, 18 Oct 2023 12:37:19 -0600 Subject: [PATCH 11/11] Remove Windows Update page --- windows/privacy/manage-windows-11-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 12374dab54..79bba0d70f 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -165,7 +165,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec |||TLSv1.2/HTTP|www.msn.com| |||TLSv1.2/HTTP|fd.api.iris.microsoft.com| |||TLSv1.2|staticview.msn.com| -|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)
[Hostnames to allow through firewall to support Delivery Optimization.](../deployment/do/waas-delivery-optimization-faq.yml)| +|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| |||TLSv1.2|definitionupdates.microsoft.com| ||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| |||HTTP|emdl.ws.microsoft.com|