From 9f2b333b6fc788ba3a4947892684dbbf13371fef Mon Sep 17 00:00:00 2001 From: Maurice Daly Date: Wed, 17 Nov 2021 08:35:26 +0000 Subject: [PATCH 1/9] Restriction Peer Selection Update In the documentation it currently states that peer selection can be configured to "local peer discovery". This setting can only be set via MDM based policies in Windows 11 builds, and therefore clarification is required, as although technically the docs state 20H2 and docs here - https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference, state 1803, setting the value via MDM policies in these builds will result in a policy failure. --- windows/deployment/update/waas-delivery-optimization.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 4bd4c62a37..f5441af767 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -39,6 +39,9 @@ For information about setting up Delivery Optimization, including tips for the b - New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). + +**Please Note:** that the "Local peer discovery (DNS-SD)" option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy" value to "2". More information can be found here - https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference. + - Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. ## Requirements From 0edb5676d1c8049421660938ed10936ec6a63b4b Mon Sep 17 00:00:00 2001 From: Maurice Daly Date: Thu, 18 Nov 2021 15:57:21 +0000 Subject: [PATCH 2/9] Update windows/deployment/update/waas-delivery-optimization.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/waas-delivery-optimization.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index f5441af767..21cba9fae5 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -40,7 +40,8 @@ For information about setting up Delivery Optimization, including tips for the b - New peer selection options: Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **Restrict Peer Selection By** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If you also enabled Group mode, Delivery Optimization will connect to locally discovered peers that are also part of the same group (that is, those which have the same Group ID). -**Please Note:** that the "Local peer discovery (DNS-SD)" option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy" value to "2". More information can be found here - https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference. +> [!NOTE] +> The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](/windows/deployment/update/waas-delivery-optimization-reference). - Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. From 70ba7e76d80d45cf86bf4c6cf16b3ae104ba2912 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 15 Dec 2021 20:12:48 -0700 Subject: [PATCH 3/9] Update waas-delivery-optimization-reference.md There was an error that this was in Windows 10, but it was introduced in Windows 11. --- .../deployment/update/waas-delivery-optimization-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 2aea9ec10f..d894207796 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -118,7 +118,7 @@ Download mode dictates which download sources clients are allowed to use when do |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | > [!NOTE] -> Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. +> Starting in Windows 11, the Bypass option of Download Mode is no longer used. >[!NOTE] >When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. @@ -270,4 +270,4 @@ The default value of 0 (zero) means that Delivery Optimization dynamically adjus Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. \ No newline at end of file +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. From 1566762326a2742e115c5cb78fbf4c65e9a89634 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 16 Dec 2021 09:06:14 -0700 Subject: [PATCH 4/9] Update windows/deployment/update/waas-delivery-optimization-reference.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/update/waas-delivery-optimization-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index d894207796..056b50b8ca 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -120,8 +120,8 @@ Download mode dictates which download sources clients are allowed to use when do > [!NOTE] > Starting in Windows 11, the Bypass option of Download Mode is no longer used. ->[!NOTE] ->When you use AAD tenant, AD Site, or AD Domain as source of group IDs, that the association of devices participating in the group should not be relied on for an authentication of identity of those devices. +> [!NOTE] +> When you use AAD tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID From 9b2a7a9dcafd3a8865b49e574bfb9e2a61d1c9b1 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 16 Dec 2021 09:15:01 -0700 Subject: [PATCH 5/9] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 056b50b8ca..98db985852 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -205,6 +205,8 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). +The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. + ### Delay background download from http (in secs) Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. From 6d40c6d31e2162c9d5a21759a135484ec9b718b5 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Thu, 16 Dec 2021 10:11:19 -0700 Subject: [PATCH 6/9] Update waas-delivery-optimization-reference.md --- .../update/waas-delivery-optimization-reference.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 98db985852..54ef07a554 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -178,6 +178,9 @@ This setting specifies the minimum content file size in MB enabled to use Peer C This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. +> [!NOTE] +> This is the best option for low bandwidth environments. + ### Maximum Foreground Download Bandwidth Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. @@ -190,6 +193,9 @@ Starting in Windows 10, version 1803, specifies the maximum background download This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. +> [!NOTE] +> It is recommended to use the absolute value download option 'Maximum Download Bandwidth', rather than percentage-based options, for low bandwidth environments. + ### Max Upload Bandwidth This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. From 3ffebcb7bd541a3e0a222976c1083b6d6116b0be Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 5 Jan 2022 10:55:23 +0200 Subject: [PATCH 7/9] Add info about KB5005010 https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10001 --- .../devices-prevent-users-from-installing-printer-drivers.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 32a0ca45f2..8e293b382a 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -43,6 +43,9 @@ Although it might be appropriate in some organizations to allow users to install - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. +> [!NOTE] +> After applying the [July 6, 2021 updates](https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. + ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options From 23c5629f952b3593652e10dc7a0ec4496e2675f6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 5 Jan 2022 09:30:18 -0800 Subject: [PATCH 8/9] Update devices-prevent-users-from-installing-printer-drivers.md --- .../devices-prevent-users-from-installing-printer-drivers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 8e293b382a..93bd2ad466 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 01/05/2022 ms.technology: windows-sec --- From d5815d8d148ba556dd906e8a2800b4899c4512f2 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 6 Jan 2022 11:34:51 +0200 Subject: [PATCH 9/9] Update windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../devices-prevent-users-from-installing-printer-drivers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 93bd2ad466..5b2bfdf5aa 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -44,7 +44,7 @@ Although it might be appropriate in some organizations to allow users to install - It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. > [!NOTE] -> After applying the [July 6, 2021 updates](https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. +> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. ### Location