diff --git a/.github/workflows/AutoPublish.yml b/.github/workflows/AutoPublish.yml index a7e46e4f16..c067d8f47b 100644 --- a/.github/workflows/AutoPublish.yml +++ b/.github/workflows/AutoPublish.yml @@ -3,10 +3,11 @@ name: (Scheduled) Publish to live permissions: contents: write pull-requests: write + checks: read on: schedule: - - cron: "25 5,11,17,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag. + - cron: "25 2,5,8,11,14,17,20,22 * * *" # Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag. workflow_dispatch: @@ -14,10 +15,11 @@ jobs: auto-publish: if: github.repository_owner == 'MicrosoftDocs' && contains(github.event.repository.topics, 'build') - uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublish.yml@workflows-prod + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-AutoPublishV2.yml@workflows-prod with: PayloadJson: ${{ toJSON(github) }} EnableAutoPublish: true + EnableAutoMerge: true secrets: AccessToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c4306b8ebe..7cfae3aab5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -8672,7 +8672,7 @@ }, { "source_path": "windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md", - "redirect_url": "/windows/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10", "redirect_document_id": false }, { @@ -9652,7 +9652,7 @@ }, { "source_path": "windows/keep-secure/windows-10-security-guide.md", - "redirect_url": "/windows/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10", "redirect_document_id": false }, { @@ -11567,7 +11567,7 @@ }, { "source_path": "windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md", - "redirect_url": "/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10", "redirect_document_id": false }, { diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 52233f5ad0..f2b2812afe 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -4712,7 +4712,7 @@ }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-started.md", - "redirect_url": "/windows/security/threat-protection/index", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/index", "redirect_document_id": false }, { @@ -10029,6 +10029,16 @@ "source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md", "redirect_url": "/windows/security/book/security-foundation", "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/index.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/index", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/.openpublishing.redirection.windows-whats-new.json b/.openpublishing.redirection.windows-whats-new.json index 80f7068d98..0435c65fe9 100644 --- a/.openpublishing.redirection.windows-whats-new.json +++ b/.openpublishing.redirection.windows-whats-new.json @@ -67,7 +67,7 @@ }, { "source_path":"windows/whats-new/security.md", - "redirect_url":"/windows/threat-protection/overview-of-threat-mitigations-in-windows-10", + "redirect_url":"/windows/security/index", "redirect_document_id":false }, { diff --git a/education/docfx.json b/education/docfx.json index 8a348ff39f..47d4c79e99 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -37,7 +37,7 @@ "ms.service": "windows-client", "author": "paolomatarazzo", "ms.author": "paoloma", - "manager": "aaroncz", + "manager": "bpardi", "ms.localizationpriority": "medium", "breadcrumb_path": "/education/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-Windows", @@ -53,12 +53,12 @@ "contributors_to_exclude": [ "dstrome2", "rjagiewich", - "American-Dipper", + "American-Dipper", "claydetels19", "jborsecnik", "v-stchambers", "shdyas", - "Stacyrch140", + "Stacyrch140", "garycentric", "dstrome", "padmagit77", diff --git a/education/includes/winse-eos.md b/education/includes/winse-eos.md new file mode 100644 index 0000000000..d5f5a6e13f --- /dev/null +++ b/education/includes/winse-eos.md @@ -0,0 +1,12 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 06/04/2025 +ms.topic: include +ms.service: windows-client +--- + +> [!IMPORTANT] +> **Support for Windows 11 SE will end in October 2026** +> +> Microsoft will not release a feature update after Windows 11 SE, version 24H2. Support for Windows 11 SE—including software updates, technical assistance, and security fixes—will end in October 2026. While your device will continue to work, we recommend transitioning to a device that supports another edition of Windows 11 to ensure continued support and security. \ No newline at end of file diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 072a760e05..c1bf90cd64 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -6,7 +6,7 @@ ms.topic: how-to author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma -manager: aaroncz +manager: bpardi ms.collection: - tier3 - education @@ -14,6 +14,8 @@ ms.collection: # Upgrade Windows Home to Windows Education on student-owned devices +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + ## Overview Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning. diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index bdd5d2761c..ea7ef6791d 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -9,6 +9,8 @@ appliesto: # Configure Stickers for Windows 11 SE +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes. Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students. diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index 727c1a26bd..781bdf9b53 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -10,6 +10,8 @@ appliesto: # Configure education themes for Windows 11 +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. :::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Screenshot of Windows 11 desktop with 3 stickers" border="true"::: diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 9a73ef453c..4ebc544aaf 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -13,6 +13,8 @@ ms.collection: # Configure federated sign-in for Windows devices +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience. Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in. diff --git a/education/windows/index.yml b/education/windows/index.yml index 981e1d8466..c9dc3d4754 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -11,7 +11,7 @@ metadata: - tier1 author: paolomatarazzo ms.author: paoloma - manager: aaroncz + manager: bpardi ms.date: 10/10/2024 highlightedContent: diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 4633fbdfc4..c9edc5a41c 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -7,6 +7,8 @@ ms.topic: reference # Take a Test app technical reference +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Take a Test is an application that locks down a device and displays an online assessment web page. Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments. diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index b43345436f..e4690e4634 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -7,6 +7,8 @@ ms.topic: how-to # Take tests and assessments in Windows +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't: - Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator) diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md index 54cb82322a..3fc7f8842f 100644 --- a/education/windows/tutorial-deploy-apps-winse/considerations.md +++ b/education/windows/tutorial-deploy-apps-winse/considerations.md @@ -9,6 +9,8 @@ appliesto: # Important considerations before deploying apps with Managed Installer +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + This article describes important aspects to consider before deploying apps with managed installer. ## Existing apps deployed in Intune diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md index e7fdd29782..2e6a508ec2 100644 --- a/education/windows/tutorial-deploy-apps-winse/create-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md @@ -9,6 +9,8 @@ appliesto: # Create policies to enable applications +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + :::row::: :::column span=""::: Icon representing the first phase.
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md index 4ab613f7f0..2f13ef837e 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md @@ -9,6 +9,8 @@ appliesto: # Applications deployment considerations +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + :::row::: :::column span=""::: Icon representing the first phase.
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md index 990f4c894b..4ae0894730 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md @@ -11,6 +11,8 @@ appliesto: # Deploy policies to enable applications +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + Once the policies are created, you must deploy them to the Windows SE devices.\ AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices. diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md index c96283ec0c..7302588ec0 100644 --- a/education/windows/tutorial-deploy-apps-winse/index.md +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -9,6 +9,8 @@ appliesto: # Tutorial: deploy applications to Windows 11 SE with Intune +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended. ## Windows 11 SE and application deployment diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md index f23a6c4034..1ac192d921 100644 --- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md +++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md @@ -9,6 +9,8 @@ appliesto: # Troubleshoot app deployment issues in Windows SE +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + The following table lists common app deployment issues on Windows 11 SE, and options to resolve them: | **Problem** | **Potential solution** | diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md index 4cfa11748b..1b5e86d831 100644 --- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md @@ -9,6 +9,8 @@ appliesto: # Validate the applications deployed to Windows SE devices +[!INCLUDE [winse-eos](../../includes/winse-eos.md)] + :::row::: :::column span=""::: Icon representing the first phase.
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 3c0a5f8d93..653b406412 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -12,6 +12,8 @@ ms.collection: # Windows 11 SE Overview +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Windows 11 SE is an edition of Windows designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately). For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits: diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 5e09c2f2d1..7a112aee44 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -12,6 +12,8 @@ ms.collection: # Windows 11 SE for Education settings list +[!INCLUDE [winse-eos](../includes/winse-eos.md)] + Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 2a00963aef..3c8a4839c1 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,16 +1,16 @@ --- title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 10/03/2017 ms.topic: article ms.service: windows-client ms.subservice: itpro-apps ms.localizationpriority: medium ms.collection: tier2 -ms.reviewer: +ms.reviewer: --- # Remove background task resource restrictions diff --git a/windows/application-management/includes/app-v-end-life-statement.md b/windows/application-management/includes/app-v-end-life-statement.md index 932390fc2d..f47b1e38ef 100644 --- a/windows/application-management/includes/app-v-end-life-statement.md +++ b/windows/application-management/includes/app-v-end-life-statement.md @@ -1,7 +1,7 @@ --- -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 09/20/2021 ms.topic: include ms.service: windows-client diff --git a/windows/application-management/includes/applies-to-windows-client-versions.md b/windows/application-management/includes/applies-to-windows-client-versions.md index f4b2934ded..178cfc7ef0 100644 --- a/windows/application-management/includes/applies-to-windows-client-versions.md +++ b/windows/application-management/includes/applies-to-windows-client-versions.md @@ -1,15 +1,11 @@ --- -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 09/28/2021 -manager: aaroncz ms.topic: include ms.service: windows-client ms.subservice: itpro-apps -ms.localizationpriortiy: medium -ms.collection: tier1 -ms.reviewer: --- **Applies to**: diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index 2fe6bc1844..41e90ed5df 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -6,9 +6,9 @@ summary: Learn about managing applications in Windows client, including common a metadata: title: Windows application management description: Learn about managing applications in Windows client. - author: aczechowski - ms.author: aaroncz - manager: aaroncz + author: vinaypamnani-msft + ms.author: vinpa + manager: bpardi ms.date: 09/27/2024 ms.topic: landing-page ms.service: windows-client diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md index dac0bbafdb..203e61756a 100644 --- a/windows/application-management/overview-windows-apps.md +++ b/windows/application-management/overview-windows-apps.md @@ -1,9 +1,9 @@ --- title: Overview of apps on Windows client devices description: Learn about the different types of apps that run on Windows. For example, Universal Windows Platform (UWP), Windows Presentation Foundation (WPF), Win32, and Windows Forms apps. This article also includes the best way to install these apps. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 09/03/2024 ms.topic: overview ms.service: windows-client diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index f1cf07572c..c9db731481 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,9 +1,9 @@ --- title: Per-user services description: Learn about per-user services, how to change the template service startup type, and manage per-user services through group policy and security templates. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 10/01/2024 ms.topic: how-to ms.service: windows-client diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index c7c06cff12..30351630dc 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -1,9 +1,9 @@ --- title: Use the Company Portal app for your private app repo on Windows 11 devices | Microsoft Docs description: Use the Company Portal app in Windows 11 devices to access the private app repository for your organization or company apps. Add apps to an MDM/MAM provider, and deploy the apps to Windows devices using policies. The Company Portal app replaces Microsoft Store for Business private store on Windows 11 devices. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 09/03/2023 ms.topic: article ms.service: windows-client @@ -57,7 +57,7 @@ To install the Company Portal app, you have some options: - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates. For more information, see: - + - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft) - [What is co-management?](/mem/configmgr/comanage/overview) @@ -70,7 +70,7 @@ To install the Company Portal app, you have some options: - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store app, go to the **Library**, and check for updates. For more information, see: - + - [What is Windows Autopilot](/mem/autopilot/windows-autopilot) - [Add and assign the Company Portal app for Autopilot provisioned devices](/mem/intune/apps/store-apps-company-portal-autopilot) diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 84cf6dc297..1658c170e3 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -1,9 +1,9 @@ --- title: Keep removed apps from returning during an update description: When you remove provisioned apps from devices, this article explains how to keep those apps from returning during an update. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 05/25/2018 ms.topic: how-to ms.service: windows-client @@ -171,7 +171,7 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe] -``` +``` [Get-AppxPackage](/powershell/module/appx/get-appxpackage) [Get-AppxPackage -allusers](/powershell/module/appx/get-appxpackage) diff --git a/windows/application-management/sideload-apps-in-windows.md b/windows/application-management/sideload-apps-in-windows.md index 8daf6b4e76..6cd8716724 100644 --- a/windows/application-management/sideload-apps-in-windows.md +++ b/windows/application-management/sideload-apps-in-windows.md @@ -1,9 +1,9 @@ --- title: Sideload line of business apps description: Learn how to sideload line-of-business (LOB) apps in Windows client operating systems. When you sideload an app, you deploy a signed app package to a device. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 09/27/2024 ms.topic: how-to ms.service: windows-client diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 5d7b3a998c..94f205ca20 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -1,9 +1,9 @@ --- title: Service host grouping in Windows 10 description: Learn about the Service Host (SvcHost) service refactoring introduced in Windows 10 version 1703. -author: aczechowski -ms.author: aaroncz -manager: aaroncz +author: vinaypamnani-msft +ms.author: vinpa +manager: bpardi ms.date: 07/20/2017 ms.topic: concept-article ms.service: windows-client @@ -22,19 +22,19 @@ The **Service Host (svchost.exe)** is a shared-service process that serves as a * Local Service No Network * Local Service Network Restricted * Local System -* Local System Network Restricted +* Local System Network Restricted * Network Service ## Separating SvcHost services -Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process. +Beginning with Windows 10 Creators Update (version 1703), services that were previously grouped will instead be separated - each will run in its own SvcHost process. This change is automatic for systems with **more than 3.5 GB** of RAM running the Client Desktop SKU. On systems with 3.5 GB or less RAM, we'll continue to group services into a shared SvcHost process. Benefits of this design change include: * Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash. * Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host. -* Increased security by providing more inter-service isolation -* Increased scalability by allowing per-service settings and privileges +* Increased security by providing more inter-service isolation +* Increased scalability by allowing per-service settings and privileges * Improved resource management through per-service CPU, I/O and memory management and increase clear diagnostic data (report CPU, I/O and network usage per service). >**Try This** @@ -48,19 +48,19 @@ Refactoring also makes it easier to view running processes in Task Manager. You For example, here are the running processes displayed in Task Manager in Windows 10 version 1607: -![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) - +![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) + Compare that to the same view of running processes in Windows 10 version 1703: ![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png) - - + + ## Exceptions Some services will continue to be grouped on PCs running with 3.5 GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services. -If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under +If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The default value of **1** prevents the service from being split. @@ -70,19 +70,19 @@ For example, the registry key configuration for BFE is: ## Memory footprint -Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) +Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) Consider the following example: |Grouped Services (< 3.5 GB) | Split Services (3.5 GB+) -|--------------------------------------- | ------------------------------------------ | +|--------------------------------------- | ------------------------------------------ | |![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | > [!NOTE] > The above represents the peak observed values. -The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services. +The total number of service instances and the resulting memory utilization varies depending on activity. Instance counts can typically range from approximately 17-21 for grouped services, and 67-74 for separated services. > **Try This** > diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 7800723235..b5a18a724b 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -47,7 +47,7 @@ "ms.topic": "conceptual", "ms.author": "vinpa", "author": "vinaypamnani-msft", - "manager": "aaroncz", + "manager": "bpardi", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index f600a15201..783fa196ad 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -13,7 +13,7 @@ metadata: - essentials-manage author: vinaypamnani-msft ms.author: vinpa - manager: aaroncz + manager: bpardi ms.date: 07/08/2024 ms.localizationpriority: medium diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index 655fdb09e4..1e3e14c810 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization. ms.topic: overview ms.subservice: windows-copilot -ms.date: 01/28/2025 +ms.date: 06/09/2025 ms.author: mstewart author: mestew ms.collection: @@ -16,66 +16,39 @@ appliesto: # Updated Windows and Microsoft 365 Copilot Chat experience ->**Looking for consumer information?** See [Welcome to Copilot on Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842). +>**Looking for consumer information?** See [Getting started with Copilot on Windows](https://support.microsoft.com/topic/1159c61f-86c3-4755-bf83-7fbff7e0982d). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842). ## Enhanced data protection with enterprise data protection -The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq). +Starting in September 2024, the Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq). -> [!IMPORTANT] -> To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not. - -## Copilot in Windows (preview) isn't enabled - -If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. - -> [!NOTE] -> Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning. - -## Copilot in Windows (preview) is enabled - -If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs. - -If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar. ## Users signing in to new PCs with Microsoft Entra accounts For users signing in to new PCs with work or school accounts, the following experience occurs: -- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. +- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app that typically comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. - Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app. - Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button. - Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license. - Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat. - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot. -- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. +- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. - If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams. -- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from unless that URL is blocked by the IT admin. +- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from [https://www.microsoft.com/copilot](https://www.microsoft.com/copilot) unless that URL is blocked by the IT admin. - If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access. +IT admins can pin the Microsoft 365 Copilot app to the Windows taskbar to enable easy and seamless access for users. This can be managed using policies to [configure applications pinned to the Windows taskbar](/windows/configuration/taskbar/pinned-apps). ## When will this happen? -The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. -The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. +The update to Microsoft 365 Copilot Chat to offer enterprise data protection roll out started in September 2024. Changes were rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and then the October 2024 monthly security update for all supported versions of Windows 11. These changes were applied to Windows 10 PCs in November 2024. This update replaced the legacy Copilot in Windows experience. -The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. +The Copilot app is automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. -## Policy information for previous Copilot in Windows (preview) experience - -Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center. - -The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy: - - -|   | Setting | -|---|---| -| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) | -| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** | - ## Remove or prevent installation of the Copilot app You can remove or uninstall the Copilot app from your device by using one of the following methods: @@ -102,28 +75,15 @@ You can remove or uninstall the Copilot app from your device by using one of the ## Implications for the Copilot hardware key - -The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft). + +The updated Copilot hardware key experience on Windows 11 devices offers a more streamlined and context-aware interaction model for both consumer and commercial users. For commercial customers, pressing the Copilot key now opens a lightweight prompt box for quick access to Microsoft 365 Copilot, allowing users to stay in their workflow without switching apps or screens. This prompt can be expanded into the full Microsoft 365 Copilot app for more functionality. This change started rolling out in the May 2025 optional nonsecurity preview release. It addressed feedback from enterprise users who found the key defaulted to a consumer experience on managed devices. IT admins can configure or remap the key using [group policy or CSP settings](#policies-to-manage-the-copilot-key) to meet organizational needs. -For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page. - -The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app. - -To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app. - -Use the table below to help determine the experience for your managed organization: - -| Configuration | Copilot experience | Copilot key invokes | -| ---| --- | --- | -| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search | -| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app | -| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). | -| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. | +If you're a software developer, you'll need to register your app as a [Microsoft Copilot hardware key provider](/windows/apps/develop/windows-integration/microsoft-copliot-key-provider) to allow users to remap the Copilot key to your app. This is done by adding `com.microsoft.windows.copilotkeyprovider` as the **Name** within the [uap3:AppExtension](/uwp/schemas/appxpackage/uapmanifestschema/element-uap3-appextension-manual) for your app's package manifest file. ## Policies to manage the Copilot key -Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md). +Policies are available so admins can configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md). To configure the Copilot key, use the following policy: @@ -133,6 +93,7 @@ To configure the Copilot key, use the following policy: | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** | + ## End user settings for the Copilot key If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs: @@ -142,17 +103,16 @@ If you choose to provide users in your organization with the choice to manage th :::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png"::: - If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected. To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store. -Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements. +Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app configured to the Copilot key can remap to meet security and privacy requirements. If the app isn't listed in the app picker for the Copilot key, it's possible that the app provider hasn't registered it yet in their package manifest file as a [Microsoft Copilot hardware key provider](/windows/apps/develop/windows-integration/microsoft-copliot-key-provider). Check with your app provider to see if they've recently updated the app and that you have the lastest version of their app installed. ## Copilot installation with Windows updates and controls -If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will: +If you're an IT administrator, you can remove the consumer Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will: -- Prevent the app from being installed if it isn't already on the device. -- Block the app from being launched if it's already installed. \ No newline at end of file +- Prevent the consumer app from being installed if it isn't already on the device. +- Block the consumer app from being launched if it's already installed. \ No newline at end of file diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index f7f31560e0..2d07daee23 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,7 +1,7 @@ --- title: eUICCs CSP description: Learn more about the eUICCs CSP. -ms.date: 03/12/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -10,6 +10,8 @@ ms.topic: generated-reference # eUICCs CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. @@ -27,7 +29,9 @@ The following list shows the eUICCs configuration service provider nodes: - [{ServerName}](#euiccdownloadserversservername) - [AutoEnable](#euiccdownloadserversservernameautoenable) - [DiscoveryState](#euiccdownloadserversservernamediscoverystate) + - [ICCID](#euiccdownloadserversservernameiccid) - [IsDiscoveryServer](#euiccdownloadserversservernameisdiscoveryserver) + - [MaximumAttempts](#euiccdownloadserversservernamemaximumattempts) - [Identifier](#euiccidentifier) - [IsActive](#euiccisactive) - [Policies](#euiccpolicies) @@ -370,6 +374,45 @@ Current state of the discovery operation for this server (Requested = 1, Executi + +##### {eUICC}/DownloadServers/{ServerName}/ICCID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/ICCID +``` + + + + +The ICCID of the eSIM profile downloaded as a result of successfully running the eSIM bulk activation process policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Get | + + + + + + + + ##### {eUICC}/DownloadServers/{ServerName}/IsDiscoveryServer @@ -419,6 +462,46 @@ Indicates whether the server is a discovery server or if it's used for bulk down + +##### {eUICC}/DownloadServers/{ServerName}/MaximumAttempts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/eUICCs/{eUICC}/DownloadServers/{ServerName}/MaximumAttempts +``` + + + + +How many times profile download should be attempted before giving up. A value of 0 indicates unlimited retry attempts. When a value isn't specified, it defaults to 50, which is equivalent to about a month of retry attempts. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Get, Replace | +| Default Value | 50 | + + + + + + + + ### {eUICC}/Identifier diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 3b2b23d68b..c7d0dd61ed 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,7 +1,7 @@ --- title: eUICCs DDF file description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider. -ms.date: 02/13/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -304,6 +304,59 @@ The following XML file contains the device description framework (DDF) for the e + + MaximumAttempts + + + + + + + 50 + How many times profile download should be attempted before giving up. A value of 0 indicates unlimited retry attempts. When a value is not specified, it defaults to 50, which is equivalent to about a month of retry attempts. + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + + ICCID + + + + + The ICCID of the eSIM profile downloaded as a result of successfully running the eSIM bulk activation process policy. + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + diff --git a/windows/client-management/mdm/includes/wip-deprecation.md b/windows/client-management/mdm/includes/wip-deprecation.md index e07cd11abf..10c2631701 100644 --- a/windows/client-management/mdm/includes/wip-deprecation.md +++ b/windows/client-management/mdm/includes/wip-deprecation.md @@ -1,6 +1,6 @@ --- -author: aczechowski -ms.author: aaroncz +author: vinaypamnani-msft +ms.author: vinpa ms.service: windows-client ms.topic: include ms.date: 07/20/2022 diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index d7d8d8d642..05b0a0020b 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,170 +1,579 @@ --- title: MultiSIM CSP -description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. -ms.date: 03/22/2018 +description: Learn more about the MultiSIM CSP. +ms.date: 06/10/2025 +ms.topic: generated-reference --- + + + # MultiSIM CSP -The table below shows the applicability of Windows: + + +The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +The following list shows the MultiSIM configuration service provider nodes: -The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803. +- ./Device/Vendor/MSFT/MultiSIM + - [{ModemID}](#modemid) + - [Identifier](#modemididentifier) + - [IsEmbedded](#modemidisembedded) + - [Policies](#modemidpolicies) + - [SlotSelectionEnabled](#modemidpoliciesslotselectionenabled) + - [Slots](#modemidslots) + - [{SlotID}](#modemidslotsslotid) + - [Identifier](#modemidslotsslotididentifier) + - [IsEmbedded](#modemidslotsslotidisembedded) + - [IsSelected](#modemidslotsslotidisselected) + - [State](#modemidslotsslotidstate) + + +## {ModemID} -The following shows the MultiSIM configuration service provider in tree format. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID} ``` -./Device/Vendor/MSFT -MultiSIM -----ModemID ---------Identifier ---------IsEmbedded ---------Slots -------------SlotID -----------------Identifier -----------------IsEmbedded -----------------IsSelected -----------------State ---------Policies -------------SlotSelectionEnabled + + + + +Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The Modem ID associated with the device. | + + + + + + + + + +### {ModemID}/Identifier + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Identifier ``` -**./Device/Vendor/MSFT/MultiSIM** -Root node. + -**_ModemID_** -Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem. - -**_ModemID_/Identifier** + + Modem ID. + -Supported operation is Get. Value type is string. + + + -**_ModemID_/IsEmbedded** -Indicates whether this modem is embedded or external. + +**Description framework properties**: -Supported operation is Get. Value type is bool. +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Get | + -**_ModemID_/Slots** -Represents all SIM slots in the Modem. + + + -**_ModemID_/Slots/_SlotID_** -Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot. + -**_ModemID_/Slots/_SlotID_/Identifier** -Slot ID. + +### {ModemID}/IsEmbedded -Supported operation is Get. Value type is integer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + -**_ModemID_/Slots/_SlotID_/IsEmbedded** -Indicates whether this Slot is embedded or a physical SIM slot. + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/IsEmbedded +``` + -Supported operation is Get. Value type is bool. + + +Indicates whether this Modem is embedded or external. + -**_ModemID_/Slots/_SlotID_/IsSelected** -Indicates whether this Slot is selected or not. + + + -Supported operation is Get and Replace. Value type is bool. + +**Description framework properties**: -**_ModemID_/Slots/_SlotID_/State** -Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8) +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get | + -Supported operation is Get. Value type is integer. + + + -**_ModemID_/Policies** + + + +### {ModemID}/Policies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Policies +``` + + + + Policies associated with the Modem. + -**_ModemID_/Policies/SlotSelectionEnabled** + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +#### {ModemID}/Policies/SlotSelectionEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Policies/SlotSelectionEnabled +``` + + + + Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true. + -Supported operation is Get and Replace. Value type is bool. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Disabled. | +| true (Default) | Enabled. | + + + + + + + + + +### {ModemID}/Slots + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots +``` + + + + +Represents all SIM slots in the Modem. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | + + + + + + + + + +#### {ModemID}/Slots/{SlotID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots/{SlotID} +``` + + + + +Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `node` | +| Access Type | Get | +| Dynamic Node Naming | UniqueName: The SIM slot ID. | + + + + + + + + + +##### {ModemID}/Slots/{SlotID}/Identifier + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots/{SlotID}/Identifier +``` + + + + +Slot ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + + + + + + + +##### {ModemID}/Slots/{SlotID}/IsEmbedded + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots/{SlotID}/IsEmbedded +``` + + + + +Indicates whether this Slot is embedded or a physical SIM slot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get | + + + + + + + + + +##### {ModemID}/Slots/{SlotID}/IsSelected + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots/{SlotID}/IsSelected +``` + + + + +Indicates whether this Slot is selected or not. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `bool` | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Not selected. | +| true | Selected. | + + + + + + + + + +##### {ModemID}/Slots/{SlotID}/State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/MultiSIM/{ModemID}/Slots/{SlotID}/State +``` + + + + +Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8) + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Get | + + + + + + + + + + ## Examples -Get modem -```xml - - - - 1 - - - - ./Vendor/MSFT/MultiSIM - - - - - - - -``` +- Get modem: -Get slots -```xml - - - - 1 - - - - ./Vendor/MSFT/MultiSIM/Embedded/Slots - - - - - - - -``` + ```xml + + + + 1 + + + + ./Vendor/MSFT/MultiSIM + + + + + + + + ``` -Get slot state -```xml - - - - 1 - - - - ./Vendor/MSFT/MultiSIM/Embedded/Slots/Embedded/State - - - - - - - -``` +- Get slots: -Select slot -```xml - - - - 1 - - - - ./Vendor/MSFT/MultiSIM/Embedded/Slots/0/IsSelected - - - - bool - text/plain - - true - - - - - -``` + ```xml + + + + 1 + + + + ./Vendor/MSFT/MultiSIM/Embedded/Slots + + + + + + + + ``` + +- Get slot state: + + ```xml + + + + 1 + + + + ./Vendor/MSFT/MultiSIM/Embedded/Slots/Embedded/State + + + + + + + + ``` + +- Select slot: + + ```xml + + + + 1 + + + + ./Vendor/MSFT/MultiSIM/Embedded/Slots/0/IsSelected + + + + bool + text/plain + + true + + + + + + ``` + + + + +## Related articles + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 435a597cc4..f3c909e3bb 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -1,31 +1,123 @@ --- title: MultiSIM DDF file -description: XML file containing the device description framework for the MultiSIM configuration service provider. -ms.date: 02/27/2018 +description: View the XML file containing the device description framework (DDF) for the MultiSIM configuration service provider. +ms.date: 06/09/2025 +ms.topic: generated-reference --- -# MultiSIM DDF + +# MultiSIM DDF file -This topic shows the OMA DM device description framework (DDF) for the **MultiSIM** configuration service provider. - -The XML below is for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the MultiSIM configuration service provider. ```xml -]> +]> 1.2 + + + + MultiSIM + ./Device/Vendor/MSFT + + + + + Subtree for multi-SIM management. + + + + + + + + + + + + + + 10.0.17134 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + + + + + + + + + + Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem. + + + + + + + + + + ModemID + + + + + The Modem ID associated with the device. + + - MultiSIM - ./Device/Vendor/MSFT + Identifier - Subtree for multi-SIM management. + Modem ID. + + + + + + + + + + + + + + + + IsEmbedded + + + + + Indicates whether this Modem is embedded or external. + + + + + + + + + + + + + + + + Slots + + + + + Represents all SIM slots in the Modem. @@ -33,20 +125,20 @@ The XML below is for Windows 10, version 1803. - + - com.microsoft/1.0/MDM/MultiSIM - + - + + - Node representing a Mobile Broadband Modem. The node name is the Modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded Modem. + Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot. @@ -56,10 +148,13 @@ The XML below is for Windows 10, version 1803. - ModemID + SlotID - + + + The SIM slot ID. + Identifier @@ -67,9 +162,9 @@ The XML below is for Windows 10, version 1803. - Modem ID. + Slot ID. - + @@ -77,11 +172,8 @@ The XML below is for Windows 10, version 1803. - - - - text/plain + @@ -91,7 +183,7 @@ The XML below is for Windows 10, version 1803. - Indicates whether this Modem is embedded or external. + Indicates whether this Slot is embedded or a physical SIM slot. @@ -102,19 +194,20 @@ The XML below is for Windows 10, version 1803. - text/plain + - Slots + IsSelected + - Represents all SIM slots in the Modem. + Indicates whether this Slot is selected or not. - + @@ -123,126 +216,29 @@ The XML below is for Windows 10, version 1803. - + + + + false + Not selected + + + true + Selected + + - - - - - - - Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot. - - - - - - - - - - SlotID - - - - - - Identifier - - - - - Slot ID. - - - - - - - - - - - text/plain - - - - - IsEmbedded - - - - - Indicates whether this Slot is embedded or a physical SIM slot. - - - - - - - - - - - text/plain - - - - - IsSelected - - - - - - Indicates whether this Slot is selected or not. - - - - - - - - - - - text/plain - - - - - State - - - - - Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8) - - - - - - - - - - - text/plain - - - - - Policies + State - Policies associated with the Modem. + Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8) - + @@ -251,34 +247,71 @@ The XML below is for Windows 10, version 1803. - + - - SlotSelectionEnabled - - - - - - true - Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true. - - - - - - - - - - - text/plain - - - + + Policies + + + + + Policies associated with the Modem. + + + + + + + + + + + + + + + SlotSelectionEnabled + + + + + + true + Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true. + + + + + + + + + + + + + + + false + Disabled + + + true + Enabled + + + + + + + ``` + +## Related articles + +[MultiSIM configuration service provider reference](multisim-csp.md) diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index e7a1b732c0..36f79a143f 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 05/02/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -13,6 +13,10 @@ ms.topic: generated-reference This article lists the policies that are applicable for Windows Insider Preview builds. +## AboveLock + +- [ConfigureAudioOnLockScreen](policy-csp-abovelock.md#configureaudioonlockscreen) + ## AppDeviceInventory - [TurnOffInstallTracing](policy-csp-appdeviceinventory.md#turnoffinstalltracing) @@ -82,6 +86,11 @@ This article lists the policies that are applicable for Windows Insider Preview - [Cadence](dmclient-csp.md#deviceproviderprovideridconfigrefreshcadence) - [PausePeriod](dmclient-csp.md#deviceproviderprovideridconfigrefreshpauseperiod) +## eUICCs CSP + +- [MaximumAttempts](euiccs-csp.md#euiccdownloadserversservernamemaximumattempts) +- [ICCID](euiccs-csp.md#euiccdownloadserversservernameiccid) + ## FileSystem - [EnableDevDrive](policy-csp-filesystem.md#enabledevdrive) @@ -249,6 +258,7 @@ This article lists the policies that are applicable for Windows Insider Preview - [ProfileRegistrationTimerInSeconds](wirelessnetworkpreference-csp.md#parameterscellularparametersprofileregistrationtimerinseconds) - [ScreenOffDurationToTriggerNetworkDiscoveryInMinutes](wirelessnetworkpreference-csp.md#parameterscellularparametersscreenoffdurationtotriggernetworkdiscoveryinminutes) - [Priority](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidpriority) +- [StayConnected](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidstayconnected) - [WirelessType](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidwirelesstype) - [PLMNID](wirelessnetworkpreference-csp.md#connectionprofilesconnectionprofileidcellularplmnid) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 0df191d92f..fc66bd83cd 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,7 +1,7 @@ --- title: AboveLock Policy CSP description: Learn more about the AboveLock Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -10,6 +10,8 @@ ms.topic: generated-reference # Policy CSP - AboveLock +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -182,6 +184,66 @@ Specifies whether to allow toast notifications above the device lock screen. Mos + +## ConfigureAudioOnLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/ConfigureAudioOnLockScreen +``` + + + + +This policy will allow the audio above lock screen to be managed by IT admins and allow apps like digital signage to play audio above lock screen without having a user signed on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No audio playback or recording on lock screen (aside from OS defined exceptions). | +| 1 | Audio playback allowed on lock screen. Audio recording isn't allowed. | +| 2 | Audio playback and recording allowed on lock screen. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureAudioOnLockScreen | +| Path | Audio > AT > WindowsComponents > Audio | +| Element Name | ConfigureAudioOnLockScreen_Enum | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 50b70af65a..2b1b54e4b2 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,7 +1,7 @@ --- title: DeviceLock Policy CSP description: Learn more about the DeviceLock Area in Policy CSP. -ms.date: 04/30/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -35,7 +35,7 @@ ms.topic: generated-reference -Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account can't be used until it's reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. +Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account can't be used until it's reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. The following example shows how to set the value of this policy: "AccountLockoutDuration:30, AccountLockoutThreshold:5, ResetAccountLockoutCounterAfter:60" @@ -113,7 +113,7 @@ Allow Administrator account lockout This security setting determines whether the | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -784,7 +784,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 95593ac094..be4a21a3b1 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy Policy CSP description: Learn more about the Privacy Area in Policy CSP. -ms.date: 03/12/2025 +ms.date: 06/10/2025 ms.topic: generated-reference --- diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 784e8088ba..a29257d3d6 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,7 +1,7 @@ --- title: WiFi CSP description: Learn more about the WiFi CSP. -ms.date: 05/13/2025 +ms.date: 06/10/2025 ms.topic: generated-reference --- @@ -113,7 +113,6 @@ Specifies the Profile name of the Wi-Fi network (32 bytes maximum) to create, co > This field is the Profile Name that appears as a "Friendly Name" to the user and contains the Wi-Fi settings information. The non-%-escaped value must correspond to `` in ` `. The Profile name can be the same or different from the SSID of the actual network being broadcast (which is under ` `). For example, the broadcast SSID might be "CC_Corp_7" but the Profile name might be "ContosoWiFi". - @@ -153,7 +152,6 @@ In the following example, the 'ContosoWiFi' Profile is added, targeting the 'CC_ > If the Profile name isn't set correctly in the MDM SyncML, as per the information in the Wi-Fi settings XML (``), it could lead to some unexpected errors at runtime. In other words, if the profile is `Contoso Wi-Fi{...}`, the MDM SyncML must be `./Vendor/MSFT/WiFi/Profile/Contoso%20Wi-Fi/WlanXml`. > > In this example, if we instead had `./Vendor/MSFT/WiFi/Profile/CC_Corp_7/WlanXml`, the profile would be considered to be User provisioned, not MDM provisioned, which may cause users to connect to the wrong network. - @@ -231,7 +229,6 @@ Optional node. The format is url:port. Configuration of the network proxy (if an > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - @@ -273,7 +270,6 @@ Optional node. URL to the PAC file location. > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - @@ -315,7 +311,6 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - @@ -422,7 +417,6 @@ If it exists in the blob, the **keyType** and **protected** elements must come b > [!NOTE] > If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [Wireless profile samples](/windows/win32/nativewifi/wireless-profile-samples). - @@ -594,7 +588,6 @@ Optional node. The format is url:port. Configuration of the network proxy (if an > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - @@ -636,7 +629,6 @@ Optional node. URL to the PAC file location. > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - @@ -678,7 +670,6 @@ Optional node. The presence of the field enables WPAD for proxy lookup. > [!NOTE] > Don't use. Using this configuration in Windows client editions may fail or have no effect. Use [NetworkProxy](networkproxy-csp.md) CSP instead. - diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 1b8f00d555..f1f4b05497 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,7 +1,7 @@ --- title: WiredNetwork CSP description: Learn more about the WiredNetwork CSP. -ms.date: 05/14/2025 +ms.date: 06/10/2025 ms.topic: generated-reference --- @@ -92,7 +92,6 @@ The profile XML must be escaped, as shown in the following examples. > [!NOTE] > If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the LAN profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the LanXML ([LANProfile](/windows/win32/nativewifi/lan-profileschema-schema) > [MSM](/windows/win32/nativewifi/lan-profileschema-msm-lanprofile-element) > [security](/windows/win32/nativewifi/lan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [Wired Profile Samples](/windows/win32/nativewifi/wired-profile-samples). - diff --git a/windows/client-management/mdm/wirelessnetworkpreference-csp.md b/windows/client-management/mdm/wirelessnetworkpreference-csp.md index cd372050db..615aa79e94 100644 --- a/windows/client-management/mdm/wirelessnetworkpreference-csp.md +++ b/windows/client-management/mdm/wirelessnetworkpreference-csp.md @@ -1,7 +1,7 @@ --- title: WirelessNetworkPreference CSP description: Learn more about the WirelessNetworkPreference CSP. -ms.date: 04/30/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -25,6 +25,7 @@ The following list shows the WirelessNetworkPreference configuration service pro - [Cellular](#connectionprofilesconnectionprofileidcellular) - [PLMNID](#connectionprofilesconnectionprofileidcellularplmnid) - [Priority](#connectionprofilesconnectionprofileidpriority) + - [StayConnected](#connectionprofilesconnectionprofileidstayconnected) - [WirelessType](#connectionprofilesconnectionprofileidwirelesstype) - [IsEnabled](#isenabled) - [Parameters](#parameters) @@ -239,6 +240,55 @@ Priority of a policy compared to the others where 1 represents the highest prior + +#### ConnectionProfiles/{ConnectionProfileID}/StayConnected + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/WirelessNetworkPreference/ConnectionProfiles/{ConnectionProfileID}/StayConnected +``` + + + + +When set to 0: Default network discovery behavior is applied. When set to 1: Once connected, the device will always stay connected to this network. This means the device won't attempt to discover or switch to other higher priority networks until it first loses connectivity to this network. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Default network discovery behavior. | +| 1 | Once connected to this network, try to stay connected. | + + + + + + + + #### ConnectionProfiles/{ConnectionProfileID}/WirelessType diff --git a/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md b/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md index 01d64c2b80..86eb60d69b 100644 --- a/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md +++ b/windows/client-management/mdm/wirelessnetworkpreference-ddf-file.md @@ -1,7 +1,7 @@ --- title: WirelessNetworkPreference DDF file description: View the XML file containing the device description framework (DDF) for the WirelessNetworkPreference configuration service provider. -ms.date: 04/30/2025 +ms.date: 06/09/2025 ms.topic: generated-reference --- @@ -447,6 +447,41 @@ The following XML file contains the device description framework (DDF) for the W + + StayConnected + + + + + + + + 0 + When set to 0: Default network discovery behavior is applied. When set to 1: Once connected, the device will always stay connected to this network. This means the device will not attempt to discover or switch to other higher priority networks until it first loses connectivity to this network. + + + + + + + + + + + + + + + 0 + Default network discovery behavior. + + + 1 + Once connected to this network, try to stay connected. + + + + WirelessType diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index e4672dc5e7..f28875090d 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -43,7 +43,7 @@ "uhfHeaderId": "MSDocsHeader-Windows", "ms.subservice": "itpro-configure", "ms.service": "windows-client", - "manager": "aaroncz", + "manager": "bpardi", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index c84e3b6be5..9254d867ee 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -10,7 +10,7 @@ metadata: - tier1 author: paolomatarazzo ms.author: paoloma - manager: aaroncz + manager: bpardi ms.date: 12/05/2024 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/windows/configuration/quick-machine-recovery/images/quick-machine-recovery-settings.png b/windows/configuration/quick-machine-recovery/images/quick-machine-recovery-settings.png index dac1200e44..babaa2550d 100644 Binary files a/windows/configuration/quick-machine-recovery/images/quick-machine-recovery-settings.png and b/windows/configuration/quick-machine-recovery/images/quick-machine-recovery-settings.png differ diff --git a/windows/configuration/quick-machine-recovery/index.md b/windows/configuration/quick-machine-recovery/index.md index ba339b78cf..b1aa4fbed8 100644 --- a/windows/configuration/quick-machine-recovery/index.md +++ b/windows/configuration/quick-machine-recovery/index.md @@ -2,11 +2,12 @@ title: Quick Machine Recovery description: Learn about quick machine recovery and how to configure it with the RemoteRemediation configuration service provider (CSP). ms.topic: how-to -ms.date: 04/02/2025 +ms.date: 06/02/2025 ms.author: paoloma author: paolomatarazzo appliesto: - "✅ Windows Insider (Beta Channel)" + - "✅ Windows Insider (Dev Channel)" --- # Quick machine recovery @@ -91,6 +92,56 @@ The configuration options consist of: [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)] +# [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune**](#tab/intune) + +[!INCLUDE [intune-settings-catalog-1](../../../includes/configure/intune-settings-catalog-1.md)] + +| Category | Setting name | +|--|--| +| **Remote Remediation** | Enable Cloud Remediation | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Set Time To Reboot | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Set Retry Interval | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Network SSID | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Network Password | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Network Password Encryption Type | +| **Remote Remediation** | Enable Cloud Remediation > Enable Auto Remediation > Network Password Encryption Store | + +[!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)] + +# [:::image type="icon" source="../images/icons/csp.svg" border="false"::: **CSP**](#tab/csp) + +You can configure devices with the [RemoteRemediation CSP][CSP-1]. + +### Cloud remediation configuration + +Enable or disable cloud remediation using the following settings: + +| Setting | +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation`
- **Data type:** Boolean
- **Value:** `True`
- **Description**: When set to `True`, cloud remediation is enabled. | + +### Auto remediation configuration + +Configure the following settings to customize the auto remediation experience: + +| Setting | +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation`
- **Data type:** Boolean
- **Value:** `True`
- **Description**: When set to `True`, auto remediation is enabled. | +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetTimeToReboot`
- **Data type:** Integer
- **Value:** 1-4320 (default = 180)
- **Description**: Configure the time to reboot (in minutes) during auto remediation. The maximum time to reboot possible is 72 hours.| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetRetryInterval`
- **Data type:** Integer
- **Value:** 1-4320 (default = 30)
- **Description**: Configure the retry interval (in minutes) during auto remediation. The retry interval shouldn't be higher than the time to reboot.| + +### Wi-Fi network connection configuration + +To configure the Wi-Fi network connection used during recovery, use the following settings: + +|Setting| +|--| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkSSID`
- **Data type:** string
- **Value:** Wi-Fi network Service Set Identifier (SSID)| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPassword`
- **Data type:** string
- **Value:** Wi-Fi network password| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionType`
- **Data type:** Integer
- **Value:** `0` = The password isn't encrypted; `1` = The password is encrypted with the MDM certificate, `2` = The password is encrypted with custom certificate. When this value is used, you must also specify the custom store name in the `NetworkPasswordEncryptionStore` node.| +|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionStore`
- **Data type:** string
- **Value:** When a value of `2` is contained in `NetworkPasswordEncryptionType`, specify the store name where the certificate for decrypting the Network Password is stored.| + # [:::image type="icon" source="../images/icons/cmd.svg"::: **Command prompt**](#tab/cmd) To configure quick machine recovery using the command line, you must create an XML file with the desired settings and then use the `reagentc.exe` command to apply those settings. @@ -132,38 +183,21 @@ To remove the configured recovery settings, run the following command from an el reagentc.exe /clearrecoverysettings ``` -# [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune) +# [:::image type="icon" source="../images/icons/settings-app.svg"::: **Settings**](#tab/settings) -You can configure devices using a [custom policy][INT-1] with the [RemoteRemediation CSP][CSP-1]. +Here are the steps to configure quick machine recovery from Settings: -### Cloud remediation configuration +1. Open Settings and go to **System** > **Recovery**, or use the following shortcut: -Enable or disable cloud remediation using the following settings: + > [!div class="nextstepaction"] + > + > [Recovery](ms-settings:recovery) -| Setting | -|--| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/EnableCloudRemediation`
- **Data type:** Boolean
- **Value:** `True`
- **Description**: When set to `True`, cloud remediation is enabled. | +1. Select **Quick machine recovery** +1. To enable quick machine recovery, turn the **Quick machine recovery** toggle to **On** +1. Configure the retry and restart intervals as needed -### Auto remediation configuration - -Configure the following settings to customize the auto remediation experience: - -| Setting | -|--| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/EnableAutoRemediation`
- **Data type:** Boolean
- **Value:** `True`
- **Description**: When set to `True`, auto remediation is enabled. | -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetTimeToReboot`
- **Data type:** Integer
- **Value:** 1-4320 (default = 180)
- **Description**: Configure the time to reboot (in minutes) during auto remediation. The maximum time to reboot possible is 72 hours.| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/AutoRemediationSettings/SetRetryInterval`
- **Data type:** Integer
- **Value:** 1-4320 (default = 30)
- **Description**: Configure the retry interval (in minutes) during auto remediation. The retry interval shouldn't be higher than the time to reboot.| - -### Wi-Fi network connection configuration - -To configure the Wi-Fi network connection used during recovery, use the following settings: - -|Setting| -|--| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkSSID`
- **Data type:** string
- **Value:** Wi-Fi network Service Set Identifier (SSID)| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPassword`
- **Data type:** string
- **Value:** Wi-Fi network password| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionType`
- **Data type:** Integer
- **Value:** `0` = The password isn't encrypted; `1` = The password is encrypted with the MDM certificate, `2` = The password is encrypted with custom certificate. When this value is used, you must also specify the custom store name in the `NetworkPasswordEncryptionStore` node.| -|- **OMA-URI:** `./Device/Vendor/MSFT/RemoteRemediation/CloudRemediationSettings/NetworkSettings/NetworkCredentials/NetworkPasswordEncryptionStore`
- **Data type:** string
- **Value:** When a value of `2` is contained in `NetworkPasswordEncryptionType`, specify the store name where the certificate for decrypting the Network Password is stored.| + :::image type="content" source="images/quick-machine-recovery-settings.png" border="false" lightbox="images/quick-machine-recovery-settings.png" alt-text="Screenshot of the Setting app - Recovery - Quick machine recovery - showing the quick machine recovery options."::: --- @@ -196,7 +230,7 @@ REAGENTC.EXE: Operation Successful. :::row::: :::column span="3"::: -Quick machine recovery offers a *test mode*, providing a controlled, simulated environment for you to validate your configurations and the auto remediation process without triggering an actual system failure. Test mode allows you to verify that the recovery experience functions as expected before deployment to production systems. +Quick machine recovery offers a *test mode*, providing a controlled, simulated environment to experience the auto remediation process without triggering an actual system failure. Test mode allows you to verify that the recovery experience functions as expected before deployment to production systems. :::column-end::: :::column span="1"::: :::image type="content" source="images/quick-machine-recovery-test-mode.png" alt-text="Screenshot of the Windows boot screen where quick machine recovery is attempting to connect to the network." border="false" lightbox="images/quick-machine-recovery-test-mode.png"::: diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 0cd29c4772..2e4c4a44d9 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -4,7 +4,7 @@ description: This article describes how to configure a PXE server to load Window ms.service: windows-client ms.localizationpriority: medium author: frankroj -manager: aaroncz +manager: bpardi ms.author: frankroj ms.topic: how-to ms.date: 11/23/2022 @@ -118,7 +118,7 @@ All four of the roles specified above can be hosted on the same computer or each The last command will return a GUID, for example: ```console - The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. + The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. ``` Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID. @@ -126,9 +126,9 @@ All four of the roles specified above can be hosted on the same computer or each 3. Create a new boot application entry for the Windows PE image: ```cmd - bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} - bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} + bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe + bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes @@ -138,7 +138,7 @@ All four of the roles specified above can be hosted on the same computer or each ```cmd bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager" - bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 + bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast ``` diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md index 0d282bce4e..ba4f2ff1cc 100644 --- a/windows/deployment/customize-boot-image.md +++ b/windows/deployment/customize-boot-image.md @@ -4,7 +4,7 @@ description: This article describes how to customize a Windows PE (WinPE) boot i ms.service: windows-client ms.localizationpriority: medium author: frankroj -manager: aaroncz +manager: bpardi ms.author: frankroj ms.topic: how-to ms.date: 08/16/2024 diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index ea37b8ed81..06fe55c39f 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -1,6 +1,6 @@ --- title: Deploy Windows with Microsoft 365 -manager: aaroncz +manager: bpardi ms.author: frankroj description: Learn about deploying Windows with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. ms.service: windows-client diff --git a/windows/deployment/do/delivery-optimization-configure.md b/windows/deployment/do/delivery-optimization-configure.md index ac3bf9f54d..c1d5ec9a89 100644 --- a/windows/deployment/do/delivery-optimization-configure.md +++ b/windows/deployment/do/delivery-optimization-configure.md @@ -7,7 +7,7 @@ ms.topic: how-to author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.collection: - tier3 - essentials-get-started @@ -34,7 +34,7 @@ Use this checklist to guide you through different aspects when modifying Deliver * Organization size * System resources * Improve P2P efficiencies - + 1. Using Microsoft Connected Cache 1. Choose where to set Delivery Optimization policies @@ -166,8 +166,8 @@ Looking to improve P2P efficiency? Some of the most powerful settings you can ch - Help optimize peer connection over HTTP connections using the [DOMinBackgroundQoS](waas-delivery-optimization-reference.md#minimum-background-qos) policy. A good value for the [DOMinBackgroundQoS](waas-delivery-optimization-reference.md#minimum-background-qos) policy is something lower than the average download speed seen in your network. For example, if your average speed is 1000 KB/s, set this policy to 500 KB/s. - Improve chances of downloading from peers and/or cache server by delaying the time DO attempts to make connections before falling back to the HTTP source. The set of delay-related policies include: - [DODelayBackgroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-background-download-from-http-in-secs) - - [DODelayForegroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-foreground-download-from-http-in-secs) - + - [DODelayForegroundDownloadFromHttp](waas-delivery-optimization-reference.md#delay-foreground-download-from-http-in-secs) + To improve efficiencies from peers or a dedicated cache server, a good starting point is 60 seconds for background settings and 30 seconds for foreground settings. > [!NOTE] @@ -177,12 +177,12 @@ Looking to improve P2P efficiency? Some of the most powerful settings you can ch Regardless of P2P, consider setting the following policies to avoid network disruption. -- Manage network usage as a percentage or absolute value. These policies include: +- Manage network usage as a percentage or absolute value. These policies include: - [DOPercentageMaxBackgroundBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth) - [DOPercentageMaxForegroundBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth) - [DOMaxBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-background-download-bandwidth-in-kbs) - [DOMaxForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#maximum-foreground-download-bandwidth-in-kbs) -- Reduce disruptions by throttling differently at different times of day, using the following business hours policies: +- Reduce disruptions by throttling differently at different times of day, using the following business hours policies: - [DOSetHoursToLimitBackgroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-background-download-bandwidth) - [DOSetHoursToLimitForegroundDownloadBandwidth](waas-delivery-optimization-reference.md#set-business-hours-to-limit-foreground-download-bandwidth). @@ -232,12 +232,12 @@ Delivery Optimization is integrated with both Microsoft Endpoint Manager and Con ## Monitor Delivery Optimization -Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. The following options are available to monitor Delivery Optimization: +Whether you opt for the default Delivery Optimization configurations or tailor them to suit your environment, you'll want to track the outcomes to see how they improve your efficiency. The following options are available to monitor Delivery Optimization: - On clients, review the activity monitor, which displays a breakdown of downloads by source, average speed, and upload stats for the current month - **Windows 11**: Settings > Windows Update > Advanced Options > Delivery Optimization > Activity Monitor - **Windows 10**: Settings > Update & Security > Delivery Optimization > Activity Monitor -- Windows Update for Business reports offers a Delivery Optimization report. For more information, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md). +- Windows Update for Business reports offers a Delivery Optimization report. For more information, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md). ## Troubleshoot Delivery Optimization diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index e4f3e8e804..a29744db73 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -7,13 +7,13 @@ ms.topic: reference author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.collection: tier3 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Microsoft Connected Cache for ISPs - ✅ Microsoft Connected Cache for Enterprise and Education -- ✅ Connected Cache on a Configuration Manager distribution point +- ✅ Connected Cache on a Configuration Manager distribution point ms.date: 04/15/2025 --- diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index c0f4cd232b..2498fbb831 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: article author: cmknox ms.author: carmenf -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: tier3 ms.localizationpriority: medium diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md index a9f607038c..13e1c07a26 100644 --- a/windows/deployment/do/delivery-optimization-test.md +++ b/windows/deployment/do/delivery-optimization-test.md @@ -7,7 +7,7 @@ ms.topic: reference author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.collection: tier3 ms.localizationpriority: medium appliesto: diff --git a/windows/deployment/do/delivery-optimization-troubleshoot.md b/windows/deployment/do/delivery-optimization-troubleshoot.md index 972b148de4..96a934e9a6 100644 --- a/windows/deployment/do/delivery-optimization-troubleshoot.md +++ b/windows/deployment/do/delivery-optimization-troubleshoot.md @@ -7,7 +7,7 @@ ms.topic: how-to author: cmknox ms.author: carmenf ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.collection: - tier3 - essentials-get-started diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index 8683d2cbfc..46832e1879 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: article author: cmknox ms.author: carmenf -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: - tier3 diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index b4a7bad230..88b82a0177 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -1,6 +1,6 @@ --- title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI -manager: aaroncz +manager: bpardi description: Elixir images read me file ms.service: windows-client author: nidos @@ -13,7 +13,7 @@ robots: noindex # Read Me -This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: +This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: :::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors."::: diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md index 0be764aea7..75d14a93f3 100644 --- a/windows/deployment/do/includes/get-azure-subscription.md +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -2,7 +2,7 @@ ms.author: carmenf author: cmknox ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.date: 10/18/2022 ms.service: windows-client ms.subservice: itpro-deploy @@ -13,7 +13,7 @@ ms.localizationpriority: medium 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input. -1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. -1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service. -1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. -1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. +1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. +1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the Microsoft Connected Cache service. +1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md index 05feb7ea27..47d5910685 100644 --- a/windows/deployment/do/includes/mcc-prerequisites.md +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -2,7 +2,7 @@ ms.author: carmenf author: cmknox ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: itpro-deploy ms.topic: include diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index dc1e99b304..3dbf9f94a0 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -12,9 +12,9 @@ metadata: ms.collection: - highpri - tier3 - author: aczechowski - ms.author: aaroncz - manager: aaroncz + author: mestew + ms.author: mstewart + manager: bpardi ms.date: 10/30/2024 #Required; mm/dd/yyyy format. ms.localizationpriority: medium diff --git a/windows/deployment/do/mcc-ent-faq.yml b/windows/deployment/do/mcc-ent-faq.yml index 089613eb36..22d1898e68 100644 --- a/windows/deployment/do/mcc-ent-faq.yml +++ b/windows/deployment/do/mcc-ent-faq.yml @@ -8,18 +8,18 @@ metadata: ms.author: nidos author: doshnid ms.reviewer: mstewart - manager: aaroncz + manager: bpardi ms.collection: - highpri - tier3 - appliesto: + appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 10/30/2024 title: Microsoft Connected Cache for Enterprise Frequently Asked Questions summary: | Frequently asked questions about Microsoft Connected Cache for Enterprise - + sections: - name: Ignored questions: @@ -29,27 +29,27 @@ sections: answer: No. You won't be charged to create Connected Cache resource and cache nodes on Azure. However, you need an Azure pay-as-you-go subscription to create the resources but there is no charge for the resource itself. - question: Is there a nondisclosure agreement to sign? answer: No, a nondisclosure agreement isn't required. - - question: What will Microsoft Connected Cache for Enterprise and Education do for me? + - question: What will Microsoft Connected Cache for Enterprise and Education do for me? answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsoft’s comprehensive solutions for minimizing enterprises’ internet bandwidth consumption, with Delivery Optimization acting as the distributed content source and Connected Cache as a dedicated content source. Microsoft customers have benefited from these solutions, seeing savings of more than 90% of bandwidth when managing Windows 11 upgrades, Autopilot device provisioning, Intune application installations, and monthly update deployments." - question: Can I deploy Connected Cache to a production environment? answer: The core caching engine of Microsoft Connected Cache is deployed to hundreds of ISPs globally and has been reliably delivering Microsoft content to customers. Connected Cache relies on production Azure services for the deployment and management of Connected Cache nodes and for Windows installations Windows Subsystem for Linux. Microsoft support is fully onboarded to support your organization whether you deploy Connected Cache in a lab for testing or in production. - question: When will Microsoft Connected Cache for Enterprise and Education be made generally available (GA)? answer: "[Delivery Optimization](waas-delivery-optimization-reference.md) and Microsoft Connected Cache are Microsoft’s comprehensive solutions for minimizing enterprises’ internet bandwidth consumption. Microsoft is committed to making Connected Cache generally available soon. Additionally, Microsoft support is fully onboarded to support your organization in whatever capacity you deploy Connected Cache." - question: What are the prerequisites and hardware requirements? - answer: | + answer: | - [Azure pay-as-you-go subscription](https://azure.microsoft.com/offers/ms-azr-0003p/). - [Hardware to host Microsoft Connected Cache](mcc-ent-edu-overview.md) - [Host machine requirements](mcc-ent-prerequisites.md) - question: What host OS do I need to deploy Connected Cache? - answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different. + answer: You can use Linux or Windows OS. Depending on the OS, the provisioning script and certain provisioning steps are different. - question: What content is cached by Microsoft Connected Cache? answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints](delivery-optimization-endpoints.md). - question: Do I need to provide hardware BareMetal server or a virtual machine (VM)? - answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software. + answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software. - question: Can we use hard drives instead of SSDs? answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. - question: Where should we install Microsoft Connected Cache? - answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters. + answer: You are in control of your hardware and you can pick the location based on your traffic and end clients. You can choose the location where you have your routers or where you have dense traffic or any other parameters. - question: How can I set up a gMSA account? answer: For more information about gMSA accounts, see [Learn how to provision a Group Managed Service Account on a Domain Controller](/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/getting-started-with-group-managed-service-accounts#create-group-managed-service-accounts). Make sure that your gMSA has been granted permissions to "Log on as batch job" within the host machine's [local security policies](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings). - question: How can I set up a local account? @@ -61,7 +61,7 @@ sections: - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content is in the hot cache path (open handles and such) for 24 hrs, but resides on disk for 30 days. The drive fills up and nginx starts to delete content based on its own algorithm, probably some combination of least recently used. - question: Is it possible to not update the Microsoft Connected Cache software or delay update longer than the timeline provided in the updates configuration? - answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and only releases updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers. + answer: No. It's important to keep the Microsoft Connected Cache software up to date, especially when it comes to security issues. Microsoft validates updates prior to releasing Enterprises Connected Cache updates and only releases updates when it's necessary to keep customers secure or to ensure the continued successful operation of Connected Cache nodes for customers. - question: How do I set up CLI? answer: For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli). - question: How do I install the Microsoft Connected Cache Azure CLI extension? diff --git a/windows/deployment/do/mcc-ent-manage-using-cli.md b/windows/deployment/do/mcc-ent-manage-using-cli.md index 3b3ca2357d..5a38d48ccc 100644 --- a/windows/deployment/do/mcc-ent-manage-using-cli.md +++ b/windows/deployment/do/mcc-ent-manage-using-cli.md @@ -4,15 +4,15 @@ description: Details on how to manage Microsoft Connected Cache for Enterprise c ms.service: windows-client ms.subservice: itpro-updates ms.topic: how-to -manager: aaroncz +manager: bpardi ms.author: nidos author: doshnid ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for Enterprise +- ✅ Microsoft Connected Cache for Enterprise ms.date: 10/30/2024 --- @@ -22,7 +22,7 @@ ms.date: 10/30/2024 This article outlines how to create, configure, and deploy Microsoft Connected Cache for Enterprise cache nodes using Azure CLI. - + ## Prerequisites: 1. **Install Azure CLI**: [How to install the Azure CLI](/cli/azure/install-azure-cli) 1. **Install Connected Cache extension**: Install Connected Cache extension via the command below @@ -94,7 +94,7 @@ To confirm cache node creation, use `az mcc ent node show`
```azurecli-interactive -az mcc ent node show --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg +az mcc ent node show --cache-node-name mycachenode --mcc-resource-name mymccresource --resource-group myrg ``` >[!IMPORTANT] @@ -144,11 +144,11 @@ az mcc ent node get-provisioning-details --cache-node-name mycachenode --mcc-res ## Next step -To deploy the cache node to a **Windows** host machine, see +To deploy the cache node to a **Windows** host machine, see >[!div class="nextstepaction"] >[Deploy cache node to Windows](mcc-ent-deploy-to-windows.md) -To deploy the cache node to a **Linux** host machine, see +To deploy the cache node to a **Linux** host machine, see >[!div class="nextstepaction"] >[Deploy cache node to Linux](mcc-ent-deploy-to-linux.md) @@ -190,7 +190,7 @@ az mcc ent resource create --mcc-resource-name $mccResourceName --location $reso #Loop through $cacheNodesToCreate iterations for ($cacheNodeNumber = 1; $cacheNodeNumber -le $cacheNodesToCreate; $cacheNodeNumber++) { $iteratedCacheNodeName = $cacheNodeName + "-" + $cacheNodeNumber - + #Create cache node az mcc ent node create --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --host-os $cacheNodeOperatingSystem --resource-group $resourceGroup @@ -203,7 +203,7 @@ for ($cacheNodeNumber = 1; $cacheNodeNumber -le $cacheNodesToCreate; $cacheNodeN Write-Output "Waiting for cache node creation to complete...$howLong seconds" Start-Sleep -Seconds $waitTime $howLong += $waitTime - + $cacheNodeState = $(az mcc ent node show --cache-node-name $iteratedCacheNodeName --mcc-resource-name $mccResourceName --resource-group $resourceGroup --query "cacheNodeState") | ConvertFrom-Json } diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index 807fdb43d0..cc0fc93ba1 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -1,6 +1,6 @@ --- title: Cache node configuration settings -manager: aaroncz +manager: bpardi description: List of options that are available while configuring a cache node for your environment from the Azure portal. ms.service: windows-client ms.subservice: itpro-updates @@ -11,7 +11,7 @@ ms.reviewer: mstewart ms.collection: - tier3 - must-keep -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Microsoft Connected Cache for ISPs diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index daa7a581db..ecb96e6f84 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -3,16 +3,16 @@ title: Create, provision, and deploy the cache node description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal ms.service: windows-client ms.subservice: itpro-updates -manager: aaroncz +manager: bpardi author: nidos ms.author: nidos ms.reviewer: mstewart ms.topic: install-set-up-deploy ms.collection: tier3 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for ISPs +- ✅ Microsoft Connected Cache for ISPs ms.date: 05/23/2024 --- @@ -66,29 +66,29 @@ In the example configuration below: - The ASN of the Microsoft Connected Cache cache node is 65100 and the IP address is 192.168.8.99 - iBGP peering sessions are established from the portal for ASNs 65100, 65200, and 65300. - :::image type="content" source="images/mcc-isp-bgp-route.png" alt-text="Screenshot of a table entitled BGP route information showing how each ASN corresponds to a specific IP address." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + :::image type="content" source="images/mcc-isp-bgp-route.png" alt-text="Screenshot of a table entitled BGP route information showing how each ASN corresponds to a specific IP address." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: - :::image type="content" source="images/mcc-isp-bgp-diagram.png" alt-text="A diagram that shows the relationship between the cache node and other ASNs/routers when using BGP. BGP routing allows the cache node to route to other network providers with different ASNs." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + :::image type="content" source="images/mcc-isp-bgp-diagram.png" alt-text="A diagram that shows the relationship between the cache node and other ASNs/routers when using BGP. BGP routing allows the cache node to route to other network providers with different ASNs." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: To set up and enable BGP routing for your cache node, follow the steps below: 1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision. - :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: -1. Enter the max allowable egress that your hardware can support. +1. Enter the max allowable egress that your hardware can support. -1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. -**Note:** This is a **required** field. Up to nine cache drive folders are supported. +1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. +**Note:** This is a **required** field. Up to nine cache drive folders are supported. 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). - - If you choose **Manual routing**, enter your address range/CIDR blocks. + - If you choose **Manual routing**, enter your address range/CIDR blocks. - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. Use your ASN, the one used to sign up for Microsoft Connected Cache. Connected Cache will be automatically assigned as the same ASN as the neighbor. > [!NOTE] > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. -## Deploy cache node software to server +## Deploy cache node software to server Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes. @@ -125,7 +125,7 @@ There are five IDs that the device provisioning script takes as input in order t :::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: -1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. +1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. 1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 26322219d3..0e6e3670b2 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -8,90 +8,90 @@ metadata: ms.author: carmenf author: cmknox ms.reviewer: mstewart - manager: aaroncz + manager: bpardi ms.collection: - highpri - tier3 - appliesto: + appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 01/14/2025 title: Microsoft Connected Cache Frequently Asked Questions summary: | Frequently asked questions about Microsoft Connected Cache - + sections: - name: Ignored questions: - question: Is this product a free service? - answer: Yes. Microsoft Connected Cache is a free service. + answer: Yes. Microsoft Connected Cache is a free service. - question: What will Microsoft Connected Cache do for me? How will it impact our customers? - answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. + answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. - question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network? - answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache. + answer: Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing Connected Cache. - question: Is there a non-disclosure agreement to sign? answer: No, a non-disclosure agreement isn't required. - question: What are the prerequisites and hardware requirements? - answer: | - - Azure subscription + answer: | + - Azure subscription - Hardware to host Microsoft Connected Cache - - Ubuntu 22.04 LTS on a physical server or VM of your choice. - + - Ubuntu 22.04 LTS on a physical server or VM of your choice. + > [!NOTE] - > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. - - The following are recommended hardware configurations: - + > The Microsoft Connected Cache is deployed and managed using Azure IoT Edge and Ubuntu 22.04 is an [Azure IoT Edge Tier 1 operating system](/azure/iot-edge/support#tier-1). Additionally, the Microsoft Connected Cache module is optimized for Ubuntu 22.04 LTS. + + The following are recommended hardware configurations: + | Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation| | -------- | -------- | -------- | -------- | | Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| VM
Up to 8 cores

Up to 16-GB memory

1 500 GB SSD| | Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| VM or hardware

16 cores*

32-GB memory

2 - 3 500-GB SSDs each| |Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| Hardware, see sample spec below:

32 or more cores*

64 or more GB memory

4 - 6 500 - 1-TB SSDs** each | - + *Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher. - + **Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher). - - We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification: - - Dell PowerEdge R330 - - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core - - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s - - 4 - Transcend SSD230s 1 TB SATA Drives + + We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification: + - Dell PowerEdge R330 + - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core + - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s + - 4 - Transcend SSD230s 1 TB SATA Drives Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) - question: Do I need to provide hardware BareMetal server or VM? answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software. - question: Can we use hard drives instead of SSDs? - answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. + answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. - question: Do I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node? - answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. + answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. - question: Should I add any load balancing mechanism? - answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. + answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. - question: How many Microsoft Connected Cache instances do I need? How do we set up if we support multiple countries or regions? - answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region. + answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region. - question: Where should we install Microsoft Connected Cache? answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used. - question: What content is cached by Microsoft Connected Cache? - answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). + answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). - question: Does Microsoft Connected Cache support Xbox or Teams content? - answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! + answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! - question: Is IPv6 supported? - answer: No, we don't currently support IPV6. We plan to support it in the future. + answer: No, we don't currently support IPV6. We plan to support it in the future. - question: Is Microsoft Connected Cache stable and reliable? answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of Connected Cache before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - question: What CDNs does Microsoft Connected Cache pull content from? - answer: | + answer: | Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: - + $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA" c-0001.c-msedge.net. 20 IN A 13.107.4.50 $ whois 13.107.4.50|grep "Organization:" - + Organization: Microsoft Corporation (MSFT) - question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how does it affect my traffic? answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic. diff --git a/windows/deployment/do/mcc-isp-overview.md b/windows/deployment/do/mcc-isp-overview.md index 46fd985ffc..879dbc2095 100644 --- a/windows/deployment/do/mcc-isp-overview.md +++ b/windows/deployment/do/mcc-isp-overview.md @@ -4,15 +4,15 @@ description: Overview of Microsoft Connected Cache for ISPs. Learn about how Con ms.service: windows-client ms.subservice: itpro-updates ms.topic: overview -manager: aaroncz +manager: bpardi ms.author: carmenf author: cmknox ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for ISPs +- ✅ Microsoft Connected Cache for ISPs ms.date: 05/23/2024 --- diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 5b9d4a5f66..847997d602 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -4,15 +4,15 @@ description: Instructions on how to go through the service onboarding process fo ms.service: windows-client ms.subservice: itpro-updates ms.topic: how-to -manager: aaroncz +manager: bpardi author: nidos ms.author: nidos ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for ISPs +- ✅ Microsoft Connected Cache for ISPs ms.date: 01/14/2024 --- @@ -39,7 +39,7 @@ Before you begin sign up, ensure you have the following components: 1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 22.04 LTS. 1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). -## Resource creation and sign up process +## Resource creation and sign up process 1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index 2eb833af48..dfe19fb6e7 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -6,13 +6,13 @@ ms.subservice: itpro-updates ms.topic: reference author: nidos ms.author: nidos -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for ISPs +- ✅ Microsoft Connected Cache for ISPs ms.date: 01/14/2025 --- @@ -32,13 +32,13 @@ During sign-up, we verify the information you provide against what is present in #### Invalid verification code -During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. +During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. #### Unable to re-sign up Delete any Microsoft Connected Cache resource that you're using before you resign up for the service. Deleting any existing Connected Cache resource unlocks your ASN, which allows you to successfully sign up. -### Cache Node Errors +### Cache Node Errors #### Network connectivity issues diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index 58f6d51180..981d0f3425 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -6,15 +6,15 @@ ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: - tier3 - must-keep -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ Microsoft Connected Cache for ISPs +- ✅ Microsoft Connected Cache for ISPs ms.date: 05/23/2024 --- diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index 1eed1cb75c..6facd2c70f 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: how-to ms.author: carmenf author: cmknox -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Microsoft Connected Cache for ISPs ms.date: 05/23/2024 --- @@ -90,7 +90,7 @@ Within Azure portal, there are many charts and graphs that are available to moni Within Azure portal, you're able to build your custom charts and graphs using the following available metrics: | Metric name | Description | -|---|---| +|---|---| | **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. | | **Healthy nodes** | The number of cache nodes that are reporting as healthy| | **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy| diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 6df9fd0b0b..250526b04b 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference ms.author: carmenf author: cmknox -manager: aaroncz +manager: bpardi ms.reviewer: mstewart ms.collection: tier3 -appliesto: +appliesto: - ✅ Microsoft Connected Cache for ISPs ms.date: 01/14/2025 --- diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 2594e6e96a..862d4d6cdf 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -7,11 +7,11 @@ ms.topic: how-to ms.author: carmenf author: cmknox ms.reviewer: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.collection: tier3 ms.date: 10/30/2024 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Microsoft Connected Cache for ISPs (early preview) @@ -33,7 +33,7 @@ Microsoft Connected Cache for Internet Service Providers is now in Public Previe - - Never attempt to download payload from Windows Update @@ -37,10 +37,10 @@ Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) ## Version specific information for Features on Demand and language packs -Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options. +Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP. The policy was modified starting in Windows 11, version 24H2 to remove the unneeded options. For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either: -- Change the source selection for feature and quality updates to Windows Update +- Change the source selection for feature and quality updates to Windows Update - Allow all classes of updates to come from WSUS by not configuring any source selections > [!Note] diff --git a/windows/deployment/update/forward-reverse-differentials.md b/windows/deployment/update/forward-reverse-differentials.md index 1ac187396e..5cfe24c253 100644 --- a/windows/deployment/update/forward-reverse-differentials.md +++ b/windows/deployment/update/forward-reverse-differentials.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index f52ce23286..ebdc8e3a94 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -6,9 +6,9 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 @@ -31,7 +31,7 @@ version of the software. ## Types of updates -We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. +We include information here about many different update types you hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. - **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they're delivered frequently (rather than every 3-5 years), they're easier to manage. - **Quality updates:** Quality updates deliver both security and nonsecurity fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They're typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. @@ -68,7 +68,7 @@ We recommend that you use the Windows Insider Release Preview channel for valida The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSC releases service a special LTSC edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition. +The General Availability Channel is the default servicing channel for all Windows devices except those with the LTSC edition installed. The following table shows the servicing channels available to each edition. | Edition | General Availability Channel | Insider Program | Long-Term Servicing Channel | diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index b8165cc86a..7641003e38 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -6,9 +6,9 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 @@ -16,7 +16,7 @@ ms.date: 12/31/2017 # How Windows Update works -The Windows Update workflow has four core areas of functionality: +The Windows Update workflow has four core areas of functionality: 1. Scan 1. Orchestrator schedules the scan. @@ -35,49 +35,49 @@ The Windows Update workflow has four core areas of functionality: 1. The arbiter finalizes before the restart. -## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. -## Scanning updates +## Scanning updates ![Windows Update scanning step.](images/update-scan-step.png) -The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. -When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. +When devices check for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. Make sure you're familiar with the following terminology related to Windows Update scan: |Term|Definition| |----|----------| -|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| -|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| -|Child update|Leaf update that's bundled by another update; contains payload.| -|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.| +|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detector update|A special update that contains `IsInstalled` applicability rule only and no payload. Used for prerequisite evaluation.| |Category update|A special `detectoid` that has an `IsInstalled` rule that is always true. Used for grouping updates and allowing the device to filter updates. | -|Full scan|Scan with empty datastore.| -|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| |Online scan|Scan that uses the network and to check an update server. | |Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.| -|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.| -|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).| -|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.| +|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.| +|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.| +|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).| +|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.| |ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. | -### How Windows Update scanning works - -Windows Update does the following actions when it runs a scan. +### How Windows Update scanning works -#### Starts the scan for updates -When users start scanning in Windows Update through the Settings panel, the following occurs: +Windows Update does the following actions when it runs a scan. -- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. -- "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. - - Windows Update uses the thread ID filtering to concentrate on one particular task. +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a `ComApi` message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. ![Windows Update scan log 1.](images/update-scan-log-1.png) - + #### Proxy Behavior For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP: SimpleAuth Web Service](/openspecs/windows_protocols/ms-wusp/61235469-6c2f-4c08-9749-e35d52c16899), [MS-WUSP: Client Web Service](/openspecs/windows_protocols/ms-wusp/69093c08-da97-445e-a944-af0bef36e4ec)): - System proxy is attempted (set using the `netsh` command). @@ -92,57 +92,57 @@ For Windows Update URLs that _aren't_ used for update detection, such as for dow #### Identifies service IDs -- Service IDs indicate which update source is being scanned. +- Service IDs indicate which update source is being scanned. -- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. ![Windows Update scan log 2.](images/update-scan-log-2.png) -- Common service IDs +- Common service IDs > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service. - + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service. + |Service|ServiceId| -|-------|---------| +|-------|---------| |Unspecified / Default|Windows Update, Microsoft Update, or WSUS
00000000-0000-0000-0000-000000000000 | -|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| -|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| -|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| -|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| +|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| |WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | -|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| #### Finds network faults -Common update failure is caused due to network issues. To find the root of the issue: +Common update failure is caused due to network issues. To find the root of the issue: -- Look for "ProtocolTalker" messages to see client-server sync network traffic. -- "SOAP faults" can be either client- or server-side issues; read the message. -- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting. +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting. > [!NOTE] - > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. + > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. - On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can't scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it's locally configured. ![Windows Update scan log 3.](images/update-scan-log-3.png) - -## Downloading updates + +## Downloading updates ![Windows Update download step.](images/update-download-step.png) -Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device. +Once the Windows Update Orchestrator determines which updates apply to your computer, it begins downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device. -To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. - -For more information, see [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md). +To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption. -## Installing updates +For more information, see [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md). + +## Installing updates ![Windows Update install step.](images/update-install-step.png) -When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". -The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. - -## Committing Updates +The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. + +## Committing Updates ![Windows Update commit step.](images/update-commit-step.png) -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. -For more information, see [Manage device restarts after updates](waas-restart.md). +For more information, see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md index dd9b0e1abd..8e9fd665e1 100644 --- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md +++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include diff --git a/windows/deployment/update/includes/update-history.md b/windows/deployment/update/includes/update-history.md index cc5fb9bb9f..e41c62590d 100644 --- a/windows/deployment/update/includes/update-history.md +++ b/windows/deployment/update/includes/update-history.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index 5fb6f0f36d..e22fc777dc 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md index a3bfb9b575..30e4d07f1d 100644 --- a/windows/deployment/update/includes/wufb-reports-endpoints.md +++ b/windows/deployment/update/includes/wufb-reports-endpoints.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include @@ -11,7 +11,7 @@ ms.localizationpriority: medium -Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data: +Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data: | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md index f0f14e2a67..c1a8cedf98 100644 --- a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md +++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include @@ -18,7 +18,7 @@ ms.localizationpriority: medium - The Azure subscription - The Log Analytics workspace 1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**. - - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. + - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts. > [!Note] - > The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different. + > The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different. diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md index 7057d0789c..cb975177db 100644 --- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md +++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include @@ -41,7 +41,7 @@ ms.localizationpriority: medium | 62 | AllowTelemetry registry key isn't the correct type of REG_DWORD.| | 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| | 64 | AllowTelemetry isn't the correct type of REG_DWORD.| -| 66 | Failed to verify UTC connectivity and recent uploads.| +| 66 | Failed to verify UTC connectivity and recent uploads.| | 67 | Unexpected failure when verifying UTC CSP.| | 99 | Device isn't Windows 10 or Windows 11.| | 100 | Device must be Microsoft Entra joined or Microsoft Entra hybrid joined to use Windows Update for Business reports.| diff --git a/windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md b/windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md index 2bee5ae05c..4cd5c212cc 100644 --- a/windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md +++ b/windows/deployment/update/includes/wufb-restart-notifications-compliance-deadlines.md @@ -1,7 +1,7 @@ --- author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.subservice: itpro-updates ms.service: windows-client ms.topic: include @@ -12,27 +12,27 @@ ms.localizationpriority: medium These deadline policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline passes. At that point, the device automatically schedules a restart regardless of active hours. -These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the [effective deadline](../wufb-compliancedeadlines.md) occurs. The description doesn't account for changes to the **Display options for update notifications** policy ([Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours)) or other settings that would significantly change the experience. +These notifications are what the user sees depending on the settings you choose, and what operating system version their device is running. Generally, the user notifications become more noticeable as the deadline approaches. The experience described is the default and assumes there's ample time for notifications before the [effective deadline](../wufb-compliancedeadlines.md) occurs. The description doesn't account for changes to the **Display options for update notifications** policy ([Update/NoUpdateNotificationsDuringActiveHours](/windows/client-management/mdm/policy-csp-update#noupdatenotificationsduringactivehours)) or other settings that would significantly change the experience. # [Windows 11, version 23H2 and later](#tab/w11-23h2-notifications) The following notifications are what the user sees on Windows 11, version 23H2 and later, depending on the settings chosen by the user and the IT administrator: -When **Specify deadlines for automatic updates and restarts** is set: +When **Specify deadlines for automatic updates and restarts** is set: -While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends. +While restart is pending, before the deadline occurs, users receive a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends. - If the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare. - If the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a restart pending state for updates. :::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png"::: -Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours. +Depending on settings both users and admins configure, toast notification may occur occasionally before the day of the deadline to remind the user of the update. During this time, if they're allowed, automatic restarts might be scheduled after active hours. - If an automatic restart is scheduled or the user scheduled the restart, and the user is signed in at that time, they receive a notification 15 minutes before the scheduled time. :::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification" lightbox="../media/9091858-pre-deadline-restart-imminent.png"::: -As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification. +As the device approaches the deadline time, a notification displays in the middle of the screen that contains the deadline time and options to restart now or acknowledge the notification. :::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification." lightbox="../media/9091858-11-dialog-18-hours.png"::: @@ -58,14 +58,14 @@ The following notifications are what the user sees on Windows 11, version 22H2 a When **Specify deadlines for automatic updates and restarts** is set: -For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends. +For the first few days, the user receives a toast notification in the corner of their screen. The notification includes the deadline date, and options to either restart now, pick a time to restart, or restart tonight once active hours ends. - If the device is Windows 11, version 22H2 and the user set [the option](../waas-wufb-csp-mdm.md#user-settings-for-notifications) **Settings** > **Windows Update** > **Advanced options** > **Notify me when a restart is required to finish updating** to **On**, they immediately receive the toast notification when the device enters a restart pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare. - If the device is Windows 11, version 22H2 and the user set **Notify me when a restart is required to finish updating** to **Off** (default), they receive a toast notification that a restart is required 24 hours after the device enters a reboot pending state for updates. :::image type="content" source="../media/9091858-11-initial-toast.png" alt-text="Screenshot of the initial toast notification displayed in Windows 11 version 23H2, or later, for a user when a restart is needed for an update but isn't past the deadline." lightbox="../media/9091858-initial-toast.png"::: -Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer. +Depending on settings both users and admins configure, notifications display in the middle of the screen as the deadline gets closer. - If there's still time for an automatic restart to occur after active hours, the dialog displays an option to let the device restart later along with options to restart now or to pick a time to schedule a restart. - If there's not time for an automatic restart to occur after active hours, the dialog displays options to pick a time to schedule a restart, restart now, or remind the user later. @@ -76,7 +76,7 @@ During this time before the deadline is reached, if they're allowed, automatic r :::image type="content" source="../media/9091858-11-pre-deadline-restart-imminent.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now, schedule a restart, or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-pre-deadline-restart-imminent.png"::: -The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification. +The day of the deadline, a notification displays that contains the deadline time and options to restart now or acknowledge the notification. :::image type="content" source="../media/9091858-11-dialog-18-hours.png" alt-text="Screenshot of the dialog displayed for a user when a restart is needed for an update but the deadline isn't reached yet. The notification contains the deadline time and options to restart now or acknowledge the notification. This notification is displayed for Windows 11, version 22H2, and earlier devices." lightbox="../media/9091858-11-dialog-18-hours.png"::: diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 2bd5947bd1..d7682bf733 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -6,10 +6,10 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.reviewer: stevedia ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server @@ -38,11 +38,11 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so ## Acquire Dynamic Update packages -You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results. +You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results. ### Windows Server 2025 Dynamic Update packages -**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. +**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. | Update packages |Title | |-----------------------------------|--------------------------------------------------------------------------------------| @@ -161,7 +161,7 @@ Optional Components, along with the .NET feature, can be installed offline. Howe ### Checkpoint cumulative updates -Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information. +Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information. To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23. @@ -253,13 +253,13 @@ Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContai ### Update WinRE and each main OS Windows edition -The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted. +The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted. -For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size. +For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size. -Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image. +Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image. -This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim. +This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim. ```powershell @@ -270,14 +270,14 @@ This process is repeated for each edition of Windows within the main operating s # Get the list of images contained within the main OS $WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Foreach ($IMAGE in $WINOS_IMAGES) +Foreach ($IMAGE in $WINOS_IMAGES) { # first mount the main OS image Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null - if ($IMAGE.ImageIndex -eq "1") + if ($IMAGE.ImageIndex -eq "1") { # @@ -288,21 +288,21 @@ Foreach ($IMAGE in $WINOS_IMAGES) Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update (Step 1 from the table) - Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE" + Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE" try { - Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch { $theError = $_ Write-Output "$(Get-TS): $theError" - - if ($theError.Exception -like "*0x8007007e*") + + if ($theError.Exception -like "*0x8007007e*") { Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore." } - else + else { throw } @@ -311,42 +311,42 @@ Foreach ($IMAGE in $WINOS_IMAGES) # # Optional: Add the language to recovery environment # - + # Install lp.cab cab Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null # Install language cabs for each optional package installed $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT - Foreach ($PACKAGE in $WINRE_INSTALLED_OC) + Foreach ($PACKAGE in $WINRE_INSTALLED_OC) { - if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) + if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { $INDEX = $PACKAGE.PackageName.IndexOf("-Package") if ($INDEX -ge 0) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" - if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) + if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE" - Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } } } # Add font support for the new language - if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) + if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } # Add TTS support for the new language - if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) + if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { - if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) + if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null @@ -363,7 +363,7 @@ Foreach ($IMAGE in $WINOS_IMAGES) # Perform image cleanup Write-Output "$(Get-TS): Performing image cleanup on WinRE" DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null - if ($LastExitCode -ne 0) + if ($LastExitCode -ne 0) { throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode" } @@ -376,9 +376,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null } - + Copy-Item -Path $WORKING_PATH"\winre2.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null - + # # update Main OS # @@ -415,14 +415,14 @@ Foreach ($IMAGE in $WINOS_IMAGES) { Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)" Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null - } - + } + # Optional: Add Legacy Features For ( $index = 0; $index -lt $OC.count; $index++) { Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)" DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null - if ($LastExitCode -ne 0) + if ($LastExitCode -ne 0) { throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode" } @@ -432,14 +432,14 @@ Foreach ($IMAGE in $WINOS_IMAGES) Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null - # Perform image cleanup. Some Optional Components might require the image to be booted, and thus + # Perform image cleanup. Some Optional Components might require the image to be booted, and thus # image cleanup may fail. We'll catch and handle as a warning. Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)" DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null - if ($LastExitCode -ne 0) + if ($LastExitCode -ne 0) { - if ($LastExitCode -eq -2146498554) - { + if ($LastExitCode -eq -2146498554) + { # We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning # This is likely due to legacy components being added that require online operations. Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation." @@ -482,7 +482,7 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot # Get the list of images contained within WinPE $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Foreach ($IMAGE in $WINPE_IMAGES) +Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE @@ -493,17 +493,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) try { Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)" - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch { $theError = $_ Write-Output "$(Get-TS): $theError" - if ($theError.Exception -like "*0x8007007e*") + if ($theError.Exception -like "*0x8007007e*") { Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore." } - else + else { throw } @@ -515,36 +515,36 @@ Foreach ($IMAGE in $WINPE_IMAGES) # Install language cabs for each optional package installed $WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT - Foreach ($PACKAGE in $WINPE_INSTALLED_OC) + Foreach ($PACKAGE in $WINPE_INSTALLED_OC) { - if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) + if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) { $INDEX = $PACKAGE.PackageName.IndexOf("-Package") - if ($INDEX -ge 0) + if ($INDEX -ge 0) { $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" - if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) + if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB - + Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)" - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null } } } } # Add font support for the new language - if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) + if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null } # Add TTS support for the new language - if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) + if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { - if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) + if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null @@ -555,11 +555,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) } # Generates a new Lang.ini file which is used to define the language packs inside the image - if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) + if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) { Write-Output "$(Get-TS): Updating lang.ini" DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null - if ($LastExitCode -ne 0) + if ($LastExitCode -ne 0) { throw "Error: Failed to update lang.ini. Exit code: $LastExitCode" } @@ -572,33 +572,33 @@ Foreach ($IMAGE in $WINPE_IMAGES) # Perform image cleanup Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null - if ($LastExitCode -ne 0) + if ($LastExitCode -ne 0) { throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode" } - if ($IMAGE.ImageIndex -eq "2") + if ($IMAGE.ImageIndex -eq "2") { # Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null - + # Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder # This is only required starting with Windows 11 version 24H2 $TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex - if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") + if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") { Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null } - else + else { Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)" } - + # Save serviced boot manager files later copy to the root media. Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null } - + # Dismount Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null @@ -623,7 +623,7 @@ This part of the script updates the Setup files. It simply copies the individual # Add Setup DU by copy the files from the package into the newMedia Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null -if ($LastExitCode -ne 0) +if ($LastExitCode -ne 0) { throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode" } @@ -633,7 +633,7 @@ Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sour Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null # Copy setuphost.exe from boot.wim, saved earlier. -if (Test-Path -Path $WORKING_PATH"\setuphost.exe") +if (Test-Path -Path $WORKING_PATH"\setuphost.exe") { Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe" Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null @@ -642,14 +642,14 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") # Copy bootmgr files from boot.wim, saved earlier. $MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi -Foreach ($File in $MEDIA_NEW_FILES) +Foreach ($File in $MEDIA_NEW_FILES) { - if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi")) + if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi")) { Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)" Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null } - elseif ($File.Name -ieq "bootmgr.efi") + elseif ($File.Name -ieq "bootmgr.efi") { Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)" Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md index 0e8eca8f1d..1872f1f2b0 100644 --- a/windows/deployment/update/optional-content.md +++ b/windows/deployment/update/optional-content.md @@ -6,21 +6,21 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 04/22/2024 --- # Migrating and acquiring optional Windows content during updates - + This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term. -When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update). +When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update). -Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update. +Neither approach contains the full set of Windows optional features that a user's device might need, so those features aren't migrated to the new operating system. In the past, those features weren't available in Configuration Manager nor WSUS for on-premises acquisition after a feature update. ## What is optional content? @@ -29,7 +29,7 @@ Optional content includes the following items: - General Features on Demand also referred to as FODs (for example, Windows Mixed Reality) - Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0) - Local Experience Packs -- Language packs +- Language packs Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network. @@ -39,9 +39,9 @@ The challenges surrounding optional content typically fall into two groups: ### Incomplete operating system updates -The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system. - -Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*. +The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user's disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to *move into*. When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system. + +Windows Setup needs access to the optional content. Since optional content isn't in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can't be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to as *failure to migrate optional content during update*. For media-based updates, Windows will automatically try again once the new operating system boots. We call this *latent acquisition*. ### User-initiated feature acquisition failure @@ -109,7 +109,7 @@ For many organizations, the deployment workflow involves a Configuration Manager You can customize the Windows image in these ways: - Applying a cumulative update -- Applying updates to the servicing stack +- Applying updates to the servicing stack - Applying updates to `Setup.exe` binaries or other files that setup uses for feature updates - Applying updates for the *safe operating system* (SafeOS) that's used for the Windows recovery environment - Adding or removing languages @@ -124,11 +124,11 @@ A partial solution to address the first pain point of failing to migrate optiona When Setup runs, it injects these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages can't be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cab files from the LPLIP ISO. We treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don't migrate FOD and languages (unless Dynamic Update is enabled). -This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting. +This approach has some interesting benefits. The original Windows image doesn't need to be modified, possibly saving time and scripting. ### Option 6: Install optional content after deployment -This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality. +This option is like Option 4 in that you customize the operating system image with more optional content after it's deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that's installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 5, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user's device without loss of functionality. ### Option 7: Configure an alternative source for optional content @@ -161,7 +161,7 @@ Options 4 and 6 involve the most scripting. Sample scripts for Option 4 already ### Creating an optional content repository -To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository. +To get started, we build a repository of optional content and host on a network share. This content is a subset of content from the FOD and language pack ISOs that ship with each release. We configure this repository or repo with only those FODs our organization needs, using DISM /Export. For example, a superset based on taking inventory of optional features installed on existing devices. In this case, we exclude the Windows Mixed Reality feature. In addition, we copy all language packs to the root of the repository. @@ -170,7 +170,7 @@ To get started, we build a repository of optional content and host on a network $LP_ISO_PATH = "C:\_IMAGE\2004_ISO\CLIENTLANGPACKDVD_OEM_MULTI.iso" $FOD_ISO_PATH = "C:\_IMAGE\2004_ISO\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso" -# Declare folders +# Declare folders $WORKING_PATH = "C:\_IMAGE\BuildRepo" $MEDIA_PATH = "C:\_IMAGE\2004_SETUP" @@ -178,20 +178,20 @@ $MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount" $REPO_PATH = $WORKING_PATH + "\Repo" # Create folders for mounting image optional content repository -if (Test-Path $MAIN_OS_MOUNT) { - Remove-Item -Path $MAIN_OS_MOUNT -Force -Recurse -ErrorAction stop| Out-Null +if (Test-Path $MAIN_OS_MOUNT) { + Remove-Item -Path $MAIN_OS_MOUNT -Force -Recurse -ErrorAction stop| Out-Null } -if (Test-Path $REPO_PATH) { - Remove-Item -Path $REPO_PATH -Force -Recurse -ErrorAction stop| Out-Null +if (Test-Path $REPO_PATH) { + Remove-Item -Path $REPO_PATH -Force -Recurse -ErrorAction stop| Out-Null } -New-Item -ItemType Directory -Force -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null -New-Item -ItemType Directory -Force -Path $REPO_PATH -ErrorAction stop| Out-Null +New-Item -ItemType Directory -Force -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null +New-Item -ItemType Directory -Force -Path $REPO_PATH -ErrorAction stop| Out-Null # Mount the main OS, I'll use this throughout the script Write-Host "Mounting main OS" -Mount-WindowsImage -ImagePath $MEDIA_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null +Mount-WindowsImage -ImagePath $MEDIA_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null # Mount the LP ISO Write-Host "Mounting LP ISO" @@ -203,9 +203,9 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "*.cab" # Mount the FOD ISO Write-Host "Mounting FOD ISO" $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter -$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" +$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" -# Export the FODs from the ISO that we are interested in +# Export the FODs from the ISO that we are interested in Write-Host "Exporting FODs to Repo" DISM /image:$MAIN_OS_MOUNT /export-source /source:$FOD_PATH /target:$REPO_PATH ` /capabilityname:Accessibility.Braille~~~~0.0.1.0 ` @@ -553,11 +553,11 @@ DISM /image:$MAIN_OS_MOUNT /export-source /source:$FOD_PATH /target:$REPO_PATH ` /capabilityname:Windows.Client.ShellComponents~~~~0.0.1.0 ` /capabilityname:Windows.Desktop.EMS-SAC.Tools~~~~0.0.1.0 ` /capabilityname:WMI-SNMP-Provider.Client~~~~0.0.1.0 ` - /capabilityname:XPS.Viewer~~~~0.0.1.0 + /capabilityname:XPS.Viewer~~~~0.0.1.0 # This one is large, lets skip for now #/capabilityname:Analog.Holographic.Desktop~~~~0.0.1.0 ` - + # Copy language caps to the repo Copy-Item -Path $OS_LP_PATH -Destination $REPO_PATH -Force -ErrorAction stop | Out-Null @@ -568,7 +568,7 @@ Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Discard -ErrorAction ignore | Out-Nu # Dismount ISO images Write-Host "Dismounting ISO images" Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction ignore | Out-Null -Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null +Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null ``` @@ -588,7 +588,7 @@ $OSVERSION_PATH = $OUTPUT_PATH + "sourceVersion.txt" $REPO_PATH = "Z:\Repo\" $LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\" -Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } +Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } Function Log { @@ -600,7 +600,7 @@ Function Log $M = "$(Get-TS): PreInstall: $MESSAGE" Write-Host $M Add-Content -Path $LOG_PATH -Value $M - + } Function IsLangFile @@ -612,7 +612,7 @@ Function IsLangFile if (($PATH -match '[-_~]ar[-_~]') -or ($PATH -match '[-_~]bg[-_~]') -or ($PATH -match '[-_~]cs[-_~]') -or ` ($PATH -match '[-_~]da[-_~]') -or ($PATH -match '[-_~]de[-_~]') -or ($PATH -match '[-_~]el[-_~]') -or ` - ($PATH -match '[-_~]en[-_~]') -or ($PATH -match '[-_~]es[-_~]') -or ($PATH -match '[-_~]et[-_~]') -or ` + ($PATH -match '[-_~]en[-_~]') -or ($PATH -match '[-_~]es[-_~]') -or ($PATH -match '[-_~]et[-_~]') -or ` ($PATH -match '[-_~]fi[-_~]') -or ($PATH -match '[-_~]fr[-_~]') -or ($PATH -match '[-_~]he[-_~]') -or ` ($PATH -match '[-_~]hr[-_~]') -or ($PATH -match '[-_~]hu[-_~]') -or ($PATH -match '[-_~]it[-_~]') -or ` ($PATH -match '[-_~]ja[-_~]') -or ($PATH -match '[-_~]ko[-_~]') -or ($PATH -match '[-_~]lt[-_~]') -or ` @@ -643,7 +643,7 @@ Log "OS Version: $($OSINFO.Version)" Add-Content -Path $OSVERSION_PATH -Value $OSINFO.Version # Get installed languages from international settings -$INTL = DISM.exe /Online /Get-Intl /English +$INTL = DISM.exe /Online /Get-Intl /English # Save only output lines with installed languages $LANGUAGES = $INTL | Select-String -SimpleMatch 'Installed language(s)' @@ -659,22 +659,22 @@ $SYSLANG = $SYSLANG | ForEach-Object {$_.Line.Replace("Default system UI languag # Save these languages Log "Default system UI language on source OS: $($SYSLANG)" -ForEach ($ITEM in $LANGUAGES) { +ForEach ($ITEM in $LANGUAGES) { Log "Installed language on source OS: $($ITEM)" Add-Content -Path $LANG_PATH -Value $ITEM } # Get and save installed packages, we'll use this for debugging $PACKAGES = Get-WindowsPackage -Online -ForEach ($ITEM in $PACKAGES) { +ForEach ($ITEM in $PACKAGES) { if($ITEM.PackageState -eq "Installed") { - Log "Package $($ITEM.PackageName) is installed" + Log "Package $($ITEM.PackageName) is installed" } } # Get and save capabilities -$CAPABILITIES = Get-WindowsCapability -Online -ForEach ($ITEM in $CAPABILITIES) { +$CAPABILITIES = Get-WindowsCapability -Online +ForEach ($ITEM in $CAPABILITIES) { if($ITEM.State -eq "Installed") { Log "Capability $($ITEM.Name) is installed" Add-Content -Path $CAP_PATH -Value $ITEM.Name @@ -688,10 +688,10 @@ ForEach ($FILE in $REPO_FILES) { If (!(Test-Path $Path)) { New-Item -ItemType Directory -Path $PATH -Force | Out-Null } - If ((IsLangFile $FILE.Name)) { + If ((IsLangFile $FILE.Name)) { # Only copy those files where we need the primary languages from the source OS - ForEach ($ITEM in $LANGUAGES) { + ForEach ($ITEM in $LANGUAGES) { if ($FILE.Name -match $Item) { If (!(Test-Path (Join-Path $Path $File.Name))) { @@ -701,7 +701,7 @@ ForEach ($FILE in $REPO_FILES) { else { Log "File $($FILE.Name) already exists in local repository" } - } + } } } Else { @@ -717,12 +717,12 @@ ForEach ($FILE in $REPO_FILES) { } Log ("Exiting") - + ``` ### Adding optional content in the target operating system -After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step. +After setup has completed successfully, we use success.cmd to retrieve the optional content state from the source operating system and install in the new operating system only if that's missing. Then, apply the latest monthly update as a final step. ```powershell @@ -735,7 +735,7 @@ $LOCAL_REPO_PATH = $OUTPUT_PATH + "Local_Repo\" $LCU_PATH = $OUTPUT_PATH + "Windows10.0-KB4565503-x64_PSFX.cab" $PENDING = $false -Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } +Function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } Function Log { @@ -747,7 +747,7 @@ Function Log $M = "$(Get-TS): PostInstall: $MESSAGE" Write-Host $M Add-Content -Path $LOG_PATH -Value $M - + } Log "Starting" @@ -765,7 +765,7 @@ if (!(Test-Path $LANG_PATH) -or !(Test-Path $CAP_PATH) -or !(Test-Path $OSVERSIO else { # Retrive OS version from source OS - $SOURCE_OSVERSION = Get-Content -Path $OSVERSION_PATH + $SOURCE_OSVERSION = Get-Content -Path $OSVERSION_PATH if ($OSINFO.Version -eq $SOURCE_OSVERSION) { Log "OS Version hasn't changed." } @@ -773,10 +773,10 @@ else { else { # Retrive language list from source OS - $SOURCE_LANGUAGES = Get-Content -Path $LANG_PATH + $SOURCE_LANGUAGES = Get-Content -Path $LANG_PATH # Get installed languages from International Settings - $INTL = DISM.exe /Online /Get-Intl /English + $INTL = DISM.exe /Online /Get-Intl /English # Save System Language, save only output line with default system language $SYS_LANG = $INTL | Select-String -SimpleMatch 'Default system UI language' @@ -786,53 +786,53 @@ else { # Get and save installed packages, we'll use this for debugging $PACKAGES = Get-WindowsPackage -Online - ForEach ($ITEM in $PACKAGES) { + ForEach ($ITEM in $PACKAGES) { if($ITEM.PackageState -eq "Installed") { Log "Package $($ITEM.PackageName) is installed" } } # Loop through source OS languages, and install if missing on target OS - ForEach ($SOURCE_ITEM in $SOURCE_LANGUAGES) { + ForEach ($SOURCE_ITEM in $SOURCE_LANGUAGES) { if ($SOURCE_ITEM -ne $SYS_LANG) { # add missing languages except the system language Log "Adding language Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" try { - Add-WindowsPackage -Online -PackagePath "$($LOCAL_REPO_PATH)\Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" -ErrorAction stop | Out-Null + Add-WindowsPackage -Online -PackagePath "$($LOCAL_REPO_PATH)\Microsoft-Windows-Client-Language-Pack_x64_$($SOURCE_ITEM).cab" -ErrorAction stop | Out-Null } catch { Log $_.Exception.Message } } } - + # Retrieve capabilities from source OS and target OS $SOURCE_CAPABILITIES = Get-Content -Path $CAP_PATH - $CAPABILITIES = Get-WindowsCapability -Online + $CAPABILITIES = Get-WindowsCapability -Online # Loop through source OS capabilities, and install if missing on target OS - ForEach ($SOURCE_ITEM in $SOURCE_CAPABILITIES) { + ForEach ($SOURCE_ITEM in $SOURCE_CAPABILITIES) { $INSTALLED = $false - ForEach ($ITEM in $CAPABILITIES) { + ForEach ($ITEM in $CAPABILITIES) { if ($ITEM.Name -eq $($SOURCE_ITEM)) { if ($ITEM.State -eq "Installed") { $INSTALLED = $true break } } - } + } # Add if not already installed if (!($INSTALLED)) { Log "Adding capability $SOURCE_ITEM" try { - Add-WindowsCapability -Online -Name $SOURCE_ITEM -Source $LOCAL_REPO_PATH -ErrorAction stop | Out-Null + Add-WindowsCapability -Online -Name $SOURCE_ITEM -Source $LOCAL_REPO_PATH -ErrorAction stop | Out-Null } catch { Log $_.Exception.Message } - } + } else { Log "Capability $SOURCE_ITEM is already installed" } @@ -840,11 +840,11 @@ else { # Add LCU, this is required after adding FODs and languages Log ("Adding LCU") - Add-WindowsPackage -Online -PackagePath $LCU_PATH -NoRestart + Add-WindowsPackage -Online -PackagePath $LCU_PATH -NoRestart # Get packages, we'll use this for debugging and to see if we need to restart to install $PACKAGES = Get-WindowsPackage -Online - ForEach ($ITEM in $PACKAGES) { + ForEach ($ITEM in $PACKAGES) { Log "Package $($ITEM.PackageName) is $($ITEM.PackageState)" if ($ITEM.PackageState -eq "InstallPending") { $PENDING = $true diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md index 47a408ee3e..490584def6 100644 --- a/windows/deployment/update/plan-define-readiness.md +++ b/windows/deployment/update/plan-define-readiness.md @@ -6,9 +6,9 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index 37900735dd..1629a50e5f 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -6,9 +6,9 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 @@ -30,7 +30,7 @@ Here's a calendar showing an example schedule that applies one Windows feature u [ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox) -This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update. +This approach provides approximately 12 months of use from each feature update before the next update is due to be installed by aligning to the Windows H2 feature update. This cadence might be most suitable for you if any of these conditions apply: @@ -38,6 +38,6 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to wait and see how successful other companies are at adopting a Windows feature update. -- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change. +- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows serviced in case business priorities change. diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index def7222a70..0ac059d07a 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: concept-article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index b195e6d540..81dd2f440a 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index e9d8d1decd..cb885ff58e 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -6,12 +6,12 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.collection: - highpri - tier2 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/31/2017 @@ -47,5 +47,5 @@ We recommend that you don't attempt to manually update until issues have been re > [!CAUTION] > Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out. - + With that in mind, IT admins who stay informed with [Windows Update for Business reports](wufb-reports-overview.md) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md index 8c13cedd5d..040d89d803 100644 --- a/windows/deployment/update/safeguard-opt-out.md +++ b/windows/deployment/update/safeguard-opt-out.md @@ -1,14 +1,14 @@ --- title: Opt out of safeguard holds -description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. +description: How to install an update in your organization even when a safeguard hold for a known issue has been applied to it. ms.service: windows-client ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 10/21/2020 @@ -21,15 +21,15 @@ Safeguard holds prevent a device with a known compatibility issue from being off ## How can I opt out of safeguard holds? IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update client policies devices running the following operating systems: -- Windows 11 +- Windows 11 - Windows 10, version 1809, or later, with the October 2020 security update. > [!CAUTION] -> Opting out of a safeguard hold can put devices at risk from known performance issues. +> Opting out of a safeguard hold can put devices at risk from known performance issues. We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business. -Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues. +Disabling safeguards doesn't guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you're bypassing the protection against known issues. > [!NOTE] -> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. +> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to **Not configured** even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 392ee59e6e..c89c968cc2 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -6,12 +6,12 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier2 ms.localizationpriority: high -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server @@ -34,9 +34,9 @@ Servicing stack updates provide fixes to the servicing stack, the component that ## What's the difference between a servicing stack update and a cumulative update? -Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. +Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. A servicing stack update improves the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. -Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article. +Starting in February 2021, the cumulative update includes the latest servicing stack updates, providing a single combined cumulative update payload for Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. This combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382). If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you only have to select and deploy the monthly cumulative update. The latest servicing stack updates are automatically applied correctly. Release notes and file information for cumulative updates, including notes and information related to the servicing stack, are in a single KB article. ## When are they released? diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md index e625088cb2..7ce38a753d 100644 --- a/windows/deployment/update/update-baseline.md +++ b/windows/deployment/update/update-baseline.md @@ -6,9 +6,9 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 10 ms.date: 12/31/2017 --- @@ -18,20 +18,20 @@ ms.date: 12/31/2017 > [!NOTE] > Update Baseline isn't currently available for Windows 11. -With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. +With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations. -## Why is Update Baseline needed? +## Why is Update Baseline needed? -Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations. +Update Baseline is an industry-tested solution that improves update adoption rates while also maintaining a high-quality user experience. Whether you're just starting out, or you have been configuring policies for years, Update Baseline can help get you to a known good state with an excellent user experience. Applying the baseline is especially helpful for organizations that have many years of policy configurations to clear out lingering misconfigurations. -## You can use Update Baseline to: +## You can use Update Baseline to: -- Ensure that user and device configuration settings are compliant with the baseline. -- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline. +- Ensure that user and device configuration settings are compliant with the baseline. +- Set configuration settings. You can use Group Policy to configure a device with the setting values specified in the baseline. -Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when. +Update Baseline doesn't affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices and when. -## Policies included in the Update Baseline +## Policies included in the Update Baseline The Update Baseline configures settings in these Group Policy areas: @@ -39,11 +39,11 @@ The Update Baseline configures settings in these Group Policy areas: - Windows Components/Delivery Optimization - Windows Components/Windows Update -For the complete detailed list of all settings and their values, see the MSFT Windows Update.htm file in the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) at the Download Center +For the complete detailed list of all settings and their values, see the MSFT Windows Update.htm file in the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=101056) at the Download Center -## How do I get started? +## How do I get started? -The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. +The Update Baseline toolkit makes it easy by providing a single command for IT Admins to load the baseline settings into Group Policy Management Console. You can get the [Update Baseline toolkit](https://www.microsoft.com/download/details.aspx?id=55319) (included as a part of the Security Compliance Toolkit) from the Download Center. -Today, the Update Baseline toolkit is currently only available for use with Group Policy. +Today, the Update Baseline toolkit is currently only available for use with Group Policy. diff --git a/windows/deployment/update/update-managed-unmanaged-devices.md b/windows/deployment/update/update-managed-unmanaged-devices.md index 911f059706..b46e87d258 100644 --- a/windows/deployment/update/update-managed-unmanaged-devices.md +++ b/windows/deployment/update/update-managed-unmanaged-devices.md @@ -8,7 +8,7 @@ ms.date: 06/25/2024 author: v-fvalentyna ms.author: v-fvalentyna ms.reviewer: mstewart,thtrombl,arcarley -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/update-other-microsoft-products.md b/windows/deployment/update/update-other-microsoft-products.md index 977b8fc32a..5aba3db75c 100644 --- a/windows/deployment/update/update-other-microsoft-products.md +++ b/windows/deployment/update/update-other-microsoft-products.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 8f10fce044..926cb416fa 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 8bae58b073..25a2521a94 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -6,27 +6,27 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 10 ms.date: 11/16/2023 --- # Configure BranchCache for Windows client updates -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. -- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. +- Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. > [!TIP] - > Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution. + > Distributed Cache mode is preferred to Hosted Cache mode for Windows clients updates to get the most benefit from peer-to-peer distribution. -- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. +- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf. -For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](/previous-versions/windows/it-pro/windows-7/dd637832(v=ws.10)). +For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](/previous-versions/windows/it-pro/windows-7/dd637832(v=ws.10)). ## Configure clients for BranchCache @@ -34,12 +34,12 @@ Whether you use BranchCache with Configuration Manager or WSUS, each client that In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. -> [!Note] +> [!Note] > [Bypass Download mode (100)](../do/waas-delivery-optimization-reference.md#download-mode) is only available in Windows 10 (starting in version 1607) and deprecated in Windows 11. BranchCache isn't supported for content downloaded using Delivery Optimization in Windows 11. ## Configure servers for BranchCache -You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager. +You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager. For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide). diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 4575153002..d2a9de1460 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -1,6 +1,6 @@ --- title: Configure Windows Update client policies -manager: aaroncz +manager: bpardi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update client policies for your devices. ms.service: windows-client author: mestew diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index ec5910bb42..89ecb16c28 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: integration author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 075c7f13af..cda4e5e217 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -6,34 +6,34 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier2 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 -- ✅ WSUS +- ✅ WSUS ms.date: 04/22/2024 --- # Deploy Windows client updates using Windows Server Update Services (WSUS) - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update client policies but doesn't provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides. -When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. +When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you're currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. ## Requirements for Windows client servicing with WSUS -To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version: +To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version: - WSUS 10.0.14393 (role in Windows Server 2016) -- WSUS 10.0.17763 (role in Windows Server 2019) +- WSUS 10.0.17763 (role in Windows Server 2019) - WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2) - KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3. @@ -45,7 +45,7 @@ To be able to use WSUS to manage and deploy Windows feature updates, you must us ## WSUS scalability To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services). - + @@ -57,15 +57,15 @@ When using WSUS to manage updates on Windows client devices, start by configurin 1. Open Group Policy Management Console (gpmc.msc). -2. Expand *Forest\Domains\\*Your_Domain**. +2. Expand *Forest\Domains\\*Your_Domain**. 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**. - ![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png) - + ![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png) + >[!NOTE] >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. - + 4. In the **New GPO** dialog box, name the new GPO **WSUS - Auto Updates and Intranet Update Service Location**. 5. Right-click the **WSUS - Auto Updates and Intranet Update Service Location** GPO, and then select **Edit**. @@ -75,20 +75,20 @@ When using WSUS to manage updates on Windows client devices, start by configurin 7. Right-click the **Configure Automatic Updates** setting, and then select **Edit**. ![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png) - + 8. In the **Configure Automatic Updates** dialog box, select **Enable**. 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then select **OK**. ![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png) - + >[!IMPORTANT] > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations - + > [!NOTE] - > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). - -10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**. + > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates). + +10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**. 11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. @@ -96,9 +96,9 @@ When using WSUS to manage updates on Windows client devices, start by configurin >[!NOTE] >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. - + ![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png) - + >[!NOTE] >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.) @@ -109,16 +109,16 @@ As Windows clients refresh their computer policies (the default Group Policy ref >[!NOTE] >The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples. -You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. +You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console. **To create computer groups in the WSUS Administration Console** -1. Open the WSUS Administration Console. +1. Open the WSUS Administration Console. -2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**. +2. Go to *Server_Name*\Computers\All Computers, and then select **Add Computer Group**. ![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png) - + 3. Type **Ring 2 Pilot Business Users** for the name, and then select **Add**. 4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When you're finished, there should be three deployment ring groups. @@ -129,7 +129,7 @@ Now that the groups have been created, add the computers to the computer groups ## Use the WSUS Administration Console to populate deployment rings -Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. +Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*. In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers. @@ -164,7 +164,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr 3. In the search results, select the computers, right-click the selection, and then select **Change Membership**. ![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png) - + 4. Select the **Ring 3 Broad IT** deployment ring, and then select **OK**. You can now see these computers in the **Ring 3 Broad IT** computer group. @@ -181,12 +181,12 @@ The WSUS Administration Console provides a friendly interface from which you can 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then select **Computers**. ![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png) - + 2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then select **OK**. >[!NOTE] - >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. - + >This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back. + Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting: **To configure client-side targeting** @@ -205,7 +205,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 5. Right-click the **WSUS - Client Targeting - Ring 4 Broad Business Users** GPO, and then select **Edit**. ![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png) - + 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. 7. Right-click **Enable client-side targeting**, and then select **Edit**. @@ -221,7 +221,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 10. Close the Group Policy Management Editor. -Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. +Now you're ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring. **To scope the GPO to a group** @@ -232,8 +232,8 @@ Now you're ready to deploy this GPO to the correct computer security group for t 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. ![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png) - -The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring. + +The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they'll be added to the **Ring 4 Broad Business Users** deployment ring. ## Automatically approve and deploy feature updates @@ -253,13 +253,13 @@ This example uses Windows 10, but the process is the same for Windows 11. 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. ![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png) - + 4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then select **OK**. 5. In the **Edit the properties area**, select the **any product** link. Clear all check boxes except **Windows 10**, and then select **OK**. Windows 10 is under All Products\Microsoft\Windows. - + 6. In the **Edit the properties** area, select the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then select **OK**. 7. Leave the deadline set for **7 days after the approval at 3:00 AM**. @@ -267,7 +267,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then select **OK**. ![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png) - + 9. In the **Automatic Approvals** dialog box, select **OK**. >[!NOTE] @@ -285,7 +285,7 @@ You can manually approve updates and set deadlines for installation within the W To simplify the manual approval process, start by creating a software update view that contains only Windows 10 (in this example) updates. The process is the same for Windows 11 updates. > [!NOTE] -> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer. +> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer. **To approve and deploy feature updates manually** @@ -298,7 +298,7 @@ To simplify the manual approval process, start by creating a software update vie 4. Under **Step 2: Edit the properties**, select **any product**. Clear all check boxes except **Windows 10**, and then select **OK**. Windows 10 is under All Products\Microsoft\Windows. - + 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then select **OK**. ![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png) @@ -309,21 +309,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s 2. Right-click the feature update you want to deploy, and then select **Approve**. - ![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png) - + ![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png) + 3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. - ![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png) - -4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**. + ![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png) + +4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Deadline**, select **One Week**, and then select **OK**. + + ![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png) - ![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png) - 5. If the **Microsoft Software License Terms** dialog box opens, select **Accept**. If the deployment is successful, you should receive a successful progress report. - - ![A sample successful deployment.](images/waas-wsus-fig20.png) + + ![A sample successful deployment.](images/waas-wsus-fig20.png) 6. In the **Approval Progress** dialog box, select **Close**. diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 29f2ef945c..b1fbf52b12 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,6 +1,6 @@ --- title: Windows Update client policies -manager: aaroncz +manager: bpardi description: Learn how Windows Update client policies let you manage when devices receive updates from Windows Update. ms.service: windows-client ms.subservice: itpro-updates diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 08bf12a6af..9771f4d928 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: overview author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.collection: - highpri diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index f3cec00f34..a09dfcfed5 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: high appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 55239f12f7..fedfd5634d 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier2 diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 03cdf677fb..01cd40364a 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -6,22 +6,22 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/31/2017 --- # Assign devices to servicing channels for Windows updates -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!TIP] >If you're not familiar with the servicing or release channels, read [Servicing Channels](waas-overview.md#servicing-channels) first. -The General Availability Channel is the default servicing channel for all Windows 10 and Windows 11 devices except devices with the LTSC edition installed. The following table shows the servicing channels available to each edition. +The General Availability Channel is the default servicing channel for all Windows 10 and Windows 11 devices except devices with the LTSC edition installed. The following table shows the servicing channels available to each edition. | Edition | General Availability Channel | Long-Term Servicing Channel | Insider Program | | --- | --- | --- | --- | diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index c71b2ef12d..d6da791ad0 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 949719191b..4854952fd4 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -6,14 +6,14 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier2 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/27/2024 --- @@ -61,7 +61,7 @@ For additional settings that configure when feature and quality updates are rece Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client searches this service for updates that apply to the computers on your network. -To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: +To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: - The server from which the Automatic Updates client detects and downloads updates - The server to which updated workstations upload statistics You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. @@ -166,9 +166,9 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation). -**5 - Allow local admin to choose setting** - With this option, local administrators are allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. +**5 - Allow local admin to choose setting** - With this option, local administrators are allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. -**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they are downloaded, then users are notified that updates are ready to be installed. Once updates are installed, a notification is displayed to users to restart the device. +**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they are downloaded, then users are notified that updates are ready to be installed. Once updates are installed, a notification is displayed to users to restart the device. If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. @@ -266,10 +266,10 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ ## Display organization name in Windows Update notifications -When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update client policies, the user notification displays a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11. - +When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update client policies, the user notification displays a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11. + The organization name appears automatically for Windows 11 clients that are associated with Microsoft Entra ID in any of the following ways: -- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) +- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) - [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) - [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) @@ -279,13 +279,13 @@ To disable displaying the organization name in Windows Update notifications, add - **DWORD value name**: UsoDisableAADJAttribution - **Value data:** 1 -The following PowerShell script is provided as an example to you: +The following PowerShell script is provided as an example to you: ```powershell $registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations" $Name = "UsoDisableAADJAttribution" -$value = "1" +$value = "1" -if (!(Test-Path $registryPath)) +if (!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null } @@ -296,7 +296,7 @@ New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWO ## Allow Windows updates to install before initial user sign-in *(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update)* -On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later. +On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later. In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md index bf4db941d8..be9b7d66e3 100644 --- a/windows/deployment/update/waas-wufb-csp-mdm.md +++ b/windows/deployment/update/waas-wufb-csp-mdm.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index fdfeb35b4e..005e3ac239 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -3,7 +3,7 @@ title: Configure Windows Update client policies via Group Policy description: Walk through of how to configure Windows Update client policies using Group Policy to update devices. ms.service: windows-client ms.subservice: itpro-updates -manager: aaroncz +manager: bpardi ms.topic: how-to author: mestew ms.localizationpriority: medium diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index f5d53887cf..811d95c567 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -6,17 +6,17 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 09/18/2018 --- # Windows Update error codes by component -This section lists the error codes for Microsoft Windows Update. +This section lists the error codes for Microsoft Windows Update. ## Automatic Update Errors @@ -65,7 +65,7 @@ This section lists the error codes for Microsoft Windows Update. | `0x8024E006` | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation couldn't be completed because there was an invalid attribute. | | `0x8024E007` | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation couldn't be completed because the cluster state of the computer couldn't be determined. | | `0x8024EFFF` | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. | - + ## Reporter errors | Error code | Message | Description | @@ -80,7 +80,7 @@ This section lists the error codes for Microsoft Windows Update. | `0x8024FFFF` | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. | ## Redirector errors -The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. +The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. | Error code | Message | Description | |----------- |------------------------------|------------------------------------------------------------------------------------------| @@ -90,7 +90,7 @@ The components that download the `Wuredir.cab` file and then parse the `Wuredir. | `0x80245FFF` | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. | ## Protocol Talker errors -The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method. +The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method. | Error code | Message | Description | @@ -240,7 +240,7 @@ The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These | `0x80248FFF` | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. | ## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped. +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This isn't a fatal error, and the device is merely skipped. | Error code | Message | Description | |------------|-------------------------------|------------------------------------------------------------------------------------------------| @@ -276,12 +276,12 @@ The PnP enumerated device is removed from the System Spec because one of the har | `0x80240010` | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated. | `0x80240011` | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected. | `0x80240012` | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read. -| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. +| `0x80240013` | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. | `0x80240016` | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart. | `0x80240017` | `WU_E_NOT_APPLICABLE` | Operation wasn't performed because there are no applicable updates. | `0x80240018` | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing. | `0x80240019` | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update can't be installed with other updates at the same time. -| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set. +| `0x8024001A` | `WU_E_POLICY_NOT_SET` | A policy value wasn't set. | `0x8024001B` | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation couldn't be performed because the Windows Update Agent is self-updating. | `0x8024001D` | `WU_E_INVALID_UPDATE` | An update contains invalid metadata. | `0x8024001E` | `WU_E_SERVICE_STOP` | Operation didn't complete because the service or system was being shut down. @@ -293,7 +293,7 @@ The PnP enumerated device is removed from the System Spec because one of the har | `0x80240024` | `WU_E_NO_UPDATE` | There are no updates. | `0x80240025` | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update. | `0x80240026` | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid. -| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. +| `0x80240027` | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. | `0x80240028` | `WU_E_UNINSTALL_NOT_ALLOWED` | The update couldn't be uninstalled because the request didn't originate from a WSUS server. | `0x80240029` | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there's an unlicensed application on the system. | `0x8024002A` | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing. @@ -333,7 +333,7 @@ The PnP enumerated device is removed from the System Spec because one of the har | `0x00240008` | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. | ## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer. +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they're related to Windows Installer. | Error code | Message | Description | |------------|------------------------------|---------------------------------------------------------------------------------------------| @@ -342,7 +342,7 @@ The following errors are used to indicate that part of a search fails because of | `0x80241003` | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. | | `0x80241004` | `WU_E_MSI_WRONG_APP_CONTEXT` | An update couldn't be applied because the application is installed per-user. | | `0x80241FFF` | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. | - + ## Windows Update Agent update and setup errors | Error code | Message | Description | diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 1bd05f13ec..c5e483557b 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier2 diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 55cf4cf9e5..d069c1816c 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -6,10 +6,10 @@ ms.subservice: itpro-updates ms.topic: get-started author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 09/18/2018 --- @@ -17,7 +17,7 @@ ms.date: 09/18/2018 >Applies to: Windows 10 -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, client devices for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, client devices for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. Use the following information to get started with Windows Update: @@ -29,30 +29,30 @@ Use the following information to get started with Windows Update: - Review [other resources](/troubleshoot/windows-client/deployment/additional-resources-for-windows-update) to help you use Windows Update - Review [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) section of Microsoft Blogs. -## Unified Update Platform (UUP) architecture -To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. ![Windows Update terminology.](images/update-terminology.png) -- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. -- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. +- **Update UI** - The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. - Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates >[!NOTE] > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. > - >Store apps aren't installed by USO, today they are separate. + >Store apps aren't installed by USO, today they are separate. -- **Windows Update Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **Windows Update Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. -- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. - -Additional components include the following- +- **Windows Update Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **Windows Update Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. -- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. -- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. +Additional components include the following- + +- **CompDB** - A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** - The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md index 7ae6ec0103..de179e4066 100644 --- a/windows/deployment/update/windows-update-security.md +++ b/windows/deployment/update/windows-update-security.md @@ -1,15 +1,15 @@ --- title: Windows Update security -manager: aaroncz +manager: bpardi description: Overview of the security for Windows Update including security for the metadata exchange and content download. ms.service: windows-client ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 08/15/2024 --- @@ -45,7 +45,7 @@ Regardless of which method is used to download the content, the resulting files When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned, ensuring that: -- The TLS connection's server certificate is validated (certificate trust, expiry, revocation, SAN entries, etc.) +- The TLS connection's server certificate is validated (certificate trust, expiry, revocation, SAN entries, etc.) - The certificate's issuer is validated as genuine Microsoft Windows Update The connection fails if the issuer is unexpected, or not a valid Windows Update intermediate certificate. Certificate pinning ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks. diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 799c85f710..ae62a06d24 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -7,7 +7,7 @@ ms.topic: article author: mestew ms.localizationpriority: medium ms.author: mstewart -manager: aaroncz +manager: bpardi appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index ee1df9351e..3367918cc2 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 admin center software updates page titleSuffix: Windows Update for Business reports -manager: aaroncz +manager: bpardi description: Microsoft admin center populates Windows Update for Business reports data into the software updates page. ms.service: windows-client ms.subservice: itpro-updates @@ -9,11 +9,11 @@ ms.topic: article author: mestew ms.author: mstewart ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 -- ✅ Windows Update for Business reports -- ✅ Microsoft 365 admin center +- ✅ Windows 10 +- ✅ Windows Update for Business reports +- ✅ Microsoft 365 admin center ms.date: 05/08/2024 --- @@ -36,7 +36,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us ## Get started -After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed: +After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed: [!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)] diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index 555bab68e4..6f2be0c3d1 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -7,9 +7,9 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 and Windows 10 devices managed by Microsoft Intune ms.date: 03/08/2023 --- @@ -56,7 +56,7 @@ Create a configuration profile that will set the required policies for Windows U - **Setting**: Configure Telemetry Opt In Change Notification - **Value**: Disabled - By turning this setting on, you're disabling notifications of diagnostic data changes. - + - **Setting**: Allow device name to be sent in Windows diagnostic data - **Value**: Allowed - If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports. @@ -75,19 +75,19 @@ Create a configuration profile that will set the required policies for Windows U 1. You're now on the Configuration profile creation screen. On the **Basics** tab, provide a **Name** and **Description**. 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). - **Required settings**: + **Required settings**: 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Windows Update for Business reports. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - - **Value**: 1 + - **Value**: 1 - *1 is the minimum value meaning required or basic diagnostic data, but it can be safely set to a higher value.* **Recommended settings, but not required**: - 1. Add settings for **Disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports: + 1. Add settings for **Disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports: - **Name**: Disable Telemetry opt-in interface - **Description**: Disables the ability for end users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` @@ -99,7 +99,7 @@ Create a configuration profile that will set the required policies for Windows U - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 - 1. Add a setting to **Configure Telemetry Opt In Change Notification**. Diagnostic data opt-in change notifications won't appear when changes occur. + 1. Add a setting to **Configure Telemetry Opt In Change Notification**. Diagnostic data opt-in change notifications won't appear when changes occur. - **Name**: Configure Telemetry Opt In Change Notification - **Description**: Disables Telemetry Opt In Change Notification - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification` @@ -114,7 +114,7 @@ Create a configuration profile that will set the required policies for Windows U The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) is a useful tool for properly enrolling devices in Windows Update for Business reports, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). > [!NOTE] -> Using the script is optional when configuring devices through Intune. The script can be leveraged as a troubleshooting tool to ensure that devices are properly configured for Windows Update for Business reports. +> Using the script is optional when configuring devices through Intune. The script can be leveraged as a troubleshooting tool to ensure that devices are properly configured for Windows Update for Business reports. When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a subset of devices that you can access. After following this guidance, you can deploy the configuration script in deployment mode as a Win32 app to all Windows Update for Business reports devices. diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md index 5cbf3748b6..64f4a16d46 100644 --- a/windows/deployment/update/wufb-reports-configuration-manual.md +++ b/windows/deployment/update/wufb-reports-configuration-manual.md @@ -7,11 +7,11 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 07/09/2024 --- diff --git a/windows/deployment/update/wufb-reports-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md index 8452c0087f..a04421c2ec 100644 --- a/windows/deployment/update/wufb-reports-configuration-script.md +++ b/windows/deployment/update/wufb-reports-configuration-script.md @@ -7,11 +7,11 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 07/09/2024 --- @@ -22,7 +22,7 @@ The Windows Update for Business reports configuration script is the recommended ## About the script -The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly. +The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). @@ -43,7 +43,7 @@ Edit the `RunConfig.bat` file to configure the following variables, then run the | logPath | Path where the logs are saved. The default location of the logs is `.\UCLogs`.| `logPath=C:\temp\logs` | | logMode | **0**: Log to the console only
**1** (default): Log to file and console.
**2**: Log to file only. | `logMode=2` | | DeviceNameOptIn | **true** (default): Device name is sent to Microsoft.
**false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` | -| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct.
**System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`.
**User**: The proxy is configured through IE and it might or might not require user authentication.

For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` | +| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct.
**System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`.
**User**: The proxy is configured through IE and it might or might not require user authentication.

For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` | | source | Used by the .bat file and PowerShell script to locate dependencies. It's recommended that you don't change this value. | `source=%~dp0` | diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index cef5beedc7..bb35bf803a 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -1,17 +1,17 @@ --- title: Delivery Optimization data in reports titleSuffix: Windows Update for Business reports -description: This article provides information about Delivery Optimization data in Windows Update for Business reports. +description: This article provides information about Delivery Optimization data in Windows Update for Business reports. ms.service: windows-client ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 09/03/2024 --- @@ -37,7 +37,7 @@ Windows Update for Business reports uses the following Delivery Optimization ter - LAN (1) - Group (2) - Internet (3) - + - **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes: - HTTP Only (0) - Simple Mode (99) @@ -139,10 +139,10 @@ The following query is used to display the Top 10 GroupIDs: ```kusto UCDOStatus | where TimeGenerated == _SnapshotTime | summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) , -DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc +DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc | extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache) -| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0 -| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 , +| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0 +| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 , VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers | extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN | project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount @@ -164,7 +164,7 @@ There are many Microsoft [content types](waas-delivery-optimization.md#types-of- ## Frequency Asked Questions - **What time period does the Delivery Optimization data include?** -Data is generated/aggregated for the last 28 days for active devices. For Delivery Optimization data to register in the report, the device must have performed some Delivery Optimization action in the 28-day rolling window. This includes device configuration information. +Data is generated/aggregated for the last 28 days for active devices. For Delivery Optimization data to register in the report, the device must have performed some Delivery Optimization action in the 28-day rolling window. This includes device configuration information. - **Data is showing as 'Unknown', what does that mean?** You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index 0deac75ed2..6b15537bfb 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 07/09/2024 --- @@ -69,7 +69,7 @@ Enroll into Windows Update for Business reports by configuring its settings thro > [!Tip] > If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports. 1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**. - - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it takes before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. + - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it takes before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. ##### Enroll through the Microsoft 365 admin center diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml index 0583d74808..6ad9b1965a 100644 --- a/windows/deployment/update/wufb-reports-faq.yml +++ b/windows/deployment/update/wufb-reports-faq.yml @@ -6,7 +6,7 @@ metadata: ms.service: windows-client ms.subservice: itpro-updates ms.topic: faq - manager: aaroncz + manager: bpardi author: mestew ms.author: mstewart ms.date: 05/07/2024 diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index 868d704195..9a03922bbd 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -7,8 +7,8 @@ ms.subservice: itpro-updates ms.topic: troubleshooting-general author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 07/09/2024 @@ -40,11 +40,11 @@ Use the product feedback option to offer suggestions for new features and functi You can open support requests directly from the Azure portal. If the **Help + Support** page doesn't display, verify you have access to open support requests. For more information about role-based access controls for support requests, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). To create a new support request for Windows Update for Business reports: -1. Open the **Help + Support** page from the following locations: +1. Open the **Help + Support** page from the following locations: - In the [Send product feedback](#send-product-feedback) flyout, select the **contact support** link. - From the Azure portal, select **New support request** under the **Support + Troubleshooting** heading. -1. Select **Create a support request**, which opens the new support request page. -1. On the **Problem description** tab, provide information about the issue. The following items in ***bold italics*** should be used to help ensure a Windows Update for Business reports engineer receives your support request: +1. Select **Create a support request**, which opens the new support request page. +1. On the **Problem description** tab, provide information about the issue. The following items in ***bold italics*** should be used to help ensure a Windows Update for Business reports engineer receives your support request: - **Summary** - Brief description of the issue - **Issue type** - ***Technical*** - **Subscription** - Select the subscription used for Windows Update for Business reports diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index 38119098c0..9ccc999e4c 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -7,7 +7,7 @@ ms.subservice: itpro-updates ms.topic: overview author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index 5878b42548..4d38e0bdcf 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: article author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 06/04/2024 --- @@ -52,9 +52,9 @@ Windows Update for Business reports supports Windows client devices on the follo ## Windows operating system updates for client devices -Installing the February 2023 cumulative update, or a later equivalent update, is required for clients to enroll into Windows Update for Business reports. This update helped enable [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), which Windows Update for Business reports relies on. +Installing the February 2023 cumulative update, or a later equivalent update, is required for clients to enroll into Windows Update for Business reports. This update helped enable [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), which Windows Update for Business reports relies on. -For more information about available updates, see [Windows 11 release information](/windows/release-health/windows11-release-information) and [Windows 10 release information](/windows/release-health/release-information). +For more information about available updates, see [Windows 11 release information](/windows/release-health/windows11-release-information) and [Windows 10 release information](/windows/release-health/release-information). ## Diagnostic data requirements diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md index 5ce2780b48..fd59da2239 100644 --- a/windows/deployment/update/wufb-reports-schema-enumerated-types.md +++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md @@ -7,8 +7,8 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/06/2023 @@ -30,7 +30,7 @@ SKU of Windows the device is running. | **ProfessionalN** | Similar to Windows Professional edition but doesn't include Windows media player. | | **Education** | Windows Education | -## OSArchitecture +## OSArchitecture Architecture of the OS running on the client. @@ -40,7 +40,7 @@ Architecture of the OS running on the client. | **x86** | OS is 32-bit | | **Unknown** | The OS architecture is unknown | -## OSFeatureUpdateStatus +## OSFeatureUpdateStatus Feature updates status @@ -50,7 +50,7 @@ Feature updates status | **InService** | Client is on a version of Windows 10 that is serviced. | | **EndOfService** | Client is on a version of Windows 10 that is no longer serviced. | -## OSQualityUpdateStatus +## OSQualityUpdateStatus Quality updates status @@ -119,7 +119,7 @@ Lower-level service state | **ServicePaused** | Update is on hold because of an automatic action by the deployment service. | | **SafeguardHold** | Update isn't offered because an existing safeguard hold on the device. | -## ClientState +## ClientState High-level client state @@ -136,7 +136,7 @@ High-level client state ## ClientSubstate -Lower-level client state +Lower-level client state |Value | Description | |---|---| diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md index a0c9a45bba..c713b26b04 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclient.md +++ b/windows/deployment/update/wufb-reports-schema-ucclient.md @@ -7,8 +7,8 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 03/12/2024 diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md index e531090eff..bb4362a778 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index af30fb0d1b..5d0aeae92a 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md index 9a8a2cda3a..24784f27db 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md @@ -7,8 +7,8 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 12/06/2023 diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md index 54de3d5647..274a16ece8 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -7,11 +7,11 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.reviewer: carmenf -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md index ede39f076e..7db17f44f4 100644 --- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -7,7 +7,7 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.reviewer: carmenf appliesto: - ✅ Windows 11 diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md index 3c6a26b80c..c908ffb2db 100644 --- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- @@ -19,7 +19,7 @@ ms.date: 12/06/2023 Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time. ## Schema for UCServiceUpdateStatus - + | Field |Type | Enumerated type |Example |Description | |---|---|---|---|---| | **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID | diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md index c8239fc4a2..77d7552a2b 100644 --- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md +++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md index d87b64907c..2c789e2e28 100644 --- a/windows/deployment/update/wufb-reports-schema.md +++ b/windows/deployment/update/wufb-reports-schema.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: reference author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/06/2023 --- diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md index 4f96164a1b..6f54bffeab 100644 --- a/windows/deployment/update/wufb-reports-use.md +++ b/windows/deployment/update/wufb-reports-use.md @@ -7,10 +7,10 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 11/15/2022 --- @@ -20,7 +20,7 @@ In this article, you'll learn how to use Windows Update for Business reports to ## Display Windows Update for Business reports data -1. Sign into the [Azure portal](https://portal.azure.com). +1. Sign into the [Azure portal](https://portal.azure.com). 1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. 1. Select **Log Analytics workspaces**. 1. Select the workspace that you use for Windows Update for Business reports. diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index ba85a80f98..b39cc14f27 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -7,8 +7,8 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz -appliesto: +manager: bpardi +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 01/29/2024 @@ -62,7 +62,7 @@ The charts displayed in the **Summary** tab give you a general idea of the overa - **Overall security update status**: Gives you general insight into of the current update compliance state of your enrolled devices. For instance, if the chart shows a large number of devices are missing multiple security updates, it may indicate an issue in the software update process. - **Feature update status**: Gives you a general understanding of how many devices are eligible for feature updates based on the operating system lifecycle. - + :::image type="content" source="media/33771278-overall-security-update-status.png" alt-text="Screenshot of the charts in the workbook's summary tab" lightbox="media/33771278-overall-security-update-status.png"::: ## Quality updates tab @@ -71,7 +71,7 @@ The **Quality updates** tab displays generalized data at the top by using tiles. | Tile name | Description | Drill-in description | |---|---|---| -|**Latest security update**| Count of devices that have reported successful installation of the latest security update. | - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | +|**Latest security update**| Count of devices that have reported successful installation of the latest security update. | - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | | **Missing one security update** | Count of devices that haven't installed the latest security update.| - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).| | **Missing multiple security updates** | Count of devices that are missing two or more security updates. | - Select **View details** to display a flyout with a chart that displays the first 1000 items.
- Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | | **Active alerts** | Count of active update and device alerts for quality updates. | | @@ -91,7 +91,7 @@ The **Update deployment status** table displays the quality updates for each ope | Column name | Description | Drill-in description | |---|---|---| -|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. +|**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code. | **KB Number** | KB number for the update | Selecting the KB number will open the support information webpage for the update.| | **Total devices** | Number of devices that have been offered the update, or are installing, have installed, or canceled the update. | Selecting the device count opens a device list table. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). | diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index d320df4f52..47d1366ab1 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -6,7 +6,7 @@ ms.subservice: itpro-updates ms.topic: how-to author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: medium appliesto: - ✅ Windows 11 diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 34fd512807..0e3f3e23be 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -3,7 +3,7 @@ title: Log files and resolving upgrade errors description: Learn how to interpret and analyze the log files that are generated during the Windows upgrade process. ms.service: windows-client author: frankroj -manager: aaroncz +manager: bpardi ms.author: frankroj ms.localizationpriority: medium ms.topic: troubleshooting diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index 8b9ff49ed1..f80f33d87d 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -1,6 +1,6 @@ --- title: Resolve Windows upgrade errors - Windows IT Pro -manager: aaroncz +manager: bpardi ms.author: frankroj description: Resolve Windows upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. author: frankroj diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index b082524620..c7c89010c2 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -5,7 +5,7 @@ ms.reviewer: shendrix ms.service: windows-client ms.subservice: itpro-deploy author: frankroj -manager: aaroncz +manager: bpardi ms.author: frankroj ms.localizationpriority: medium ms.topic: troubleshooting diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index f1fc97e892..25f8f413c2 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,6 +1,6 @@ --- title: Submit Windows upgrade errors using Feedback Hub -manager: aaroncz +manager: bpardi ms.author: frankroj description: Download the Feedback Hub app, and then submit Windows upgrade errors for diagnosis using Feedback Hub. ms.service: windows-client diff --git a/windows/deployment/upgrade/windows-edition-upgrades.md b/windows/deployment/upgrade/windows-edition-upgrades.md index eea591bb03..3dcd3c720a 100644 --- a/windows/deployment/upgrade/windows-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-edition-upgrades.md @@ -1,7 +1,7 @@ --- title: Windows edition upgrade description: With Windows, you can quickly upgrade from one edition of Windows to another, provided the upgrade path is supported. -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client ms.localizationpriority: medium @@ -129,7 +129,7 @@ If only a few devices are being upgraded devices, a product key for the upgraded 1. In the **Run** window, next to **Open**, enter `ms-settings:activation` - + and then select **OK**. 1. Select **Change product key**. @@ -152,7 +152,7 @@ If you don't have a product key, you can upgrade your edition of Windows through 1. In the **Run** window, next to **Open**, enter `ms-windows-store://windowsupgrade/` - + and then select **OK**. 1. Follow the on-screen instructions. diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index d2da8a5c3d..d204be51e1 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -1,6 +1,6 @@ --- title: Windows error reporting - Windows IT Pro -manager: aaroncz +manager: bpardi ms.author: frankroj description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup. ms.service: windows-client diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index e1d51e9ebd..7d41a77815 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,7 +1,7 @@ --- title: Windows Upgrade and Migration Considerations description: Discover the Microsoft tools that can be used to move files and settings between installations including special considerations for performing an upgrade or migration. -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index e8d3480151..c60653051f 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -4,7 +4,7 @@ description: Upgrade to current versions of Windows from a previous version of W ms.service: windows-client ms.localizationpriority: medium author: frankroj -manager: aaroncz +manager: bpardi ms.author: frankroj ms.topic: upgrade-and-migration-article ms.collection: diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 103b3e14b9..3a8564f64c 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) - Getting Started description: Plan, collect, and prepare the source computer for migration using the User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index c6c0627a49..1934301352 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -2,7 +2,7 @@ title: Migrate Application Settings description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index a8473748b7..bec414fa59 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -2,7 +2,7 @@ title: Migration Store Types Overview description: Learn about the migration store types and how to determine which migration store type best suits the organization's needs. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index e60272da5f..1496e411b8 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -2,7 +2,7 @@ title: Offline Migration Reference description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index fab9e7724b..becd523f57 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -2,7 +2,7 @@ title: Understanding Migration XML Files description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) migration by using XML files. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 34fb82aa18..5cf6ae4e12 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -2,7 +2,7 @@ title: USMT Best Practices description: This article discusses general and security-related best practices when using User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 46f76521b8..17ee6d7e93 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -2,7 +2,7 @@ title: Choose a Migration Store Type description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in the organization. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index cac5f93581..7681d63254 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) Command-line Syntax description: Learn about the User State Migration Tool (USMT) command-line syntax for using the **ScanState** tool, **LoadState** tool, and UsmtUtils tool. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index b81d59505e..082e9858fe 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -2,7 +2,7 @@ title: Common Migration Scenarios description: See how the User State Migration Tool (USMT) is used when planning hardware and/or operating system upgrades. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index b0444cb0cd..8e13ed4b1a 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -2,7 +2,7 @@ title: Config.xml File description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) file that can be created using the /genconfig option with the ScanState.exe tool. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index c514ca0de2..1b749944d2 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -2,7 +2,7 @@ title: Conflicts and Precedence description: In this article, learn how User State Migration Tool (USMT) deals with conflicts and precedence. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index ea5761cc5e..69e702b388 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -2,7 +2,7 @@ title: Custom XML Examples description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the Videos folder. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 1c80db779b..cbea525df5 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -2,7 +2,7 @@ title: Customize USMT XML Files description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index afad7e7d3d..fb34e2ea26 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -2,7 +2,7 @@ title: Determine What to Migrate description: Determine migration settings for standard or customized for the User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 0ebc0fc1de..0094327673 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -2,7 +2,7 @@ title: Estimate Migration Store Size description: Estimate the disk space requirement for a migration so that the User State Migration Tool (USMT) can be used. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 52a44c5d33..864ee7abf4 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -2,7 +2,7 @@ title: Exclude Files and Settings description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 8f2d1c1196..49c3bc1d0a 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -2,7 +2,7 @@ title: Extract Files from a Compressed USMT Migration Store description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index fb9a10a99e..b17fe6d128 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -7,7 +7,7 @@ metadata: ms.subservice: itpro-deploy author: frankroj ms.author: frankroj - manager: aaroncz + manager: bpardi ms.mktglfcycl: deploy ms.sitesec: library audience: itpro diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 146ed9bd56..7f7206ba1c 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -2,7 +2,7 @@ title: General Conventions description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 75a8d9fb1d..20d039aba7 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -2,7 +2,7 @@ title: Hard-Link Migration Store description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 49a7170f0c..a3fd5d2a81 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -2,7 +2,7 @@ title: How USMT Works description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index 29114c8d6e..6baddb6988 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) How-to articles description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) to perform specific tasks. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index 644d0c72b2..3e696e0933 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -2,7 +2,7 @@ title: Identify Applications Settings description: Identify which applications and settings need to be migrated before using the User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index 217fc28b31..2158e2c2e6 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -2,7 +2,7 @@ title: Identify File Types, Files, and Folders description: Identify the file types, files, folders, and settings that need to be migrated when planning the migration. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index b37083ce78..a765ccc6b0 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -2,7 +2,7 @@ title: Identify Operating System Settings description: Identify which system settings need to be migrated. The User State Migration Tool (USMT) can then be used to select settings and keep the default values for all others. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index e72d3bab25..7a1892124c 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -2,7 +2,7 @@ title: Identify Users description: Learn how to identify users that need to be migrated, and how to migrate local accounts and domain accounts. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index aa3a9e2593..524bea7f3d 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -2,7 +2,7 @@ title: Include Files and Settings description: Specify the migration .xml files that are needed, then use the User State Migration Tool (USMT) to migrate the settings and components specified. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index cb3ee8ef8b..ea6c0afdd0 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -2,7 +2,7 @@ title: LoadState Syntax description: Learn about the syntax and usage of the command-line options available when using the LoadState command. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index e015af4036..1f6ed9791b 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -2,7 +2,7 @@ title: USMT Log Files description: Learn how to use User State Migration Tool (USMT) logs to monitor the migration and to troubleshoot errors and failed migrations. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 9f896b125f..921f57459d 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -2,7 +2,7 @@ title: Migrate EFS Files and Certificates description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index ba220bc251..612c768aef 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -2,7 +2,7 @@ title: Migrate User Accounts description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index 0af8864e20..372b2cf594 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -2,7 +2,7 @@ title: Migration Store Encryption description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 0eaa678d6e..fbe01f87bd 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.subservice: itpro-deploy author: frankroj ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.date: 03/27/2025 ms.topic: overview diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index a75bc7ea90..570bec08bb 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -2,7 +2,7 @@ title: Plan The Migration description: Learn how to plan the migration carefully so the migration can proceed smoothly and so that the risk of migration failure is reduced. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index c626ac56fe..4fddca1594 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -4,7 +4,7 @@ description: Learn how to use environment variables to identify folders that can ms.service: windows-client ms.subservice: itpro-deploy ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj author: frankroj ms.date: 01/29/2025 diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index a5e4eea126..55d8bb2fa1 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -2,7 +2,7 @@ title: User State Migration Toolkit (USMT) Reference description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index fb0d5ddf48..315fe8423d 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -2,7 +2,7 @@ title: USMT Requirements description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 8cbda2d6c9..a3e1310a7d 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -2,7 +2,7 @@ title: Reroute Files and Settings description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index cf9749d531..d714529956 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -2,7 +2,7 @@ title: USMT Resources description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 04fee70623..8d64c330c7 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -2,7 +2,7 @@ title: ScanState Syntax description: The ScanState command is used with the User State Migration Tool (USMT) to scan the source computer, collect the files and settings, and create a store. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 4e15899fb3..fbe3df07a9 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) Technical Reference description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 08bbb67f9d..e4b5a73092 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -2,7 +2,7 @@ title: Test The Migration description: Learn about testing the migration plan in a controlled laboratory setting before deploying it to the entire organization. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index 98ddecb7ae..989fff9691 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) Overview Articles description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 98b2ed5c0e..fc0c71560b 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -2,7 +2,7 @@ title: User State Migration Tool (USMT) Troubleshooting description: Learn about articles that address common User State Migration Tool (USMT) issues and questions to help troubleshooting. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 29f40c6108..81f80a94db 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -2,7 +2,7 @@ title: UsmtUtils Syntax description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) through the command-line interface. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index a60ce0dd07..0ab08f59e9 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -2,7 +2,7 @@ title: What does USMT migrate description: Learn how User State Migration Tool (USMT) is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index edf9b0b470..3433804014 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -2,7 +2,7 @@ title: XML Elements Library description: Learn about the XML elements and helper functions that can be employed to author migration .xml files to use with User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 551883b1ab..031e1aa4bd 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -2,7 +2,7 @@ title: USMT XML Reference description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 0f537173ad..1e164d0589 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -2,7 +2,7 @@ title: Verify the Condition of a Compressed Migration Store description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT). ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index d26d21f084..1e8a5a5c01 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -2,7 +2,7 @@ title: XML File Requirements description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. ms.reviewer: kevinmi,warrenw -manager: aaroncz +manager: bpardi ms.author: frankroj ms.service: windows-client author: frankroj diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index c5a40f1621..cdbbaae796 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -13,7 +13,15 @@ ms.subservice: activation # Active Directory-Based Activation overview -Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company's domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it's distributed throughout the domain. +Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company's domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it's distributed throughout the domain. ADBA has the following benefits + +- No additional devices required to maintain (KMS host) + +- No RPC requirement, uses LDAP + +- Works with RODC + +Note: ADBA activation only works in single forest, even if you have trust relationship setup. Each forest requires it's own ADBA object. KMS can work cross forest if the DNS SRV record is manually created under the DNS of each forest, provided 2-way trust relationship is created ## ADBA scenarios diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 35a89089d3..083c3539a1 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.author: frankroj -manager: aaroncz +manager: bpardi ms.topic: article ms.date: 07/19/2024 ms.subservice: itpro-deploy diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index b6a137b5f0..599712aaeb 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -3,7 +3,7 @@ title: Windows ADK for Windows scenarios for IT Pros description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that IT Pros can use to deploy Windows. author: frankroj ms.author: frankroj -manager: aaroncz +manager: bpardi ms.service: windows-client ms.localizationpriority: medium ms.date: 02/27/2025 diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 0d7e52c210..2407322de4 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -15,6 +15,8 @@ items: - name: Prerequisites href: prepare/windows-autopatch-prerequisites.md + - name: Role-based access control + href: prepare/windows-autopatch-role-based-access-control.md - name: Configure your network href: prepare/windows-autopatch-configure-network.md - name: Start using Windows Autopatch diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 0818a69802..a86f0f531b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index a5edca8e5b..9b31857c17 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index 4bab65f8f1..fa8b5ef224 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index d9567ba906..589f3620fb 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,14 +1,14 @@ --- title: Register devices with Autopatch groups description: This article details how to register devices in Autopatch. -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri @@ -54,6 +54,9 @@ Windows Autopatch has an Autopatch groups membership report provides the followi - Update status - Policies that target each device +> [!NOTE] +> You can configure custom roles to access the Autopatch groups membership report, including the various device actions.

To **Assign ring** the user requires a minimum of **Windows Autopatch Group/Read permissions**. Use the dropdown menu to select the deployment ring to move devices to, the menu will only display deployment rings in the users' scope.

To view the device's properties, the minimum permission required is **Manage Devices/Read**.

Scoped admins can only move devices between deployment rings in the same Autopatch group, with the same scope tags.

For more information, see [Windows Autopatch role-based access controls](../prepare/windows-autopatch-role-based-access-control.md).

+ ### View the Autopatch groups membership report **To view the Autopatch groups membership report:** diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-applies-to-all-licenses.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-applies-to-all-licenses.md index 28cef2dd9a..79e76221e8 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-applies-to-all-licenses.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-applies-to-all-licenses.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-audience-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-audience-graph-explorer.md index 1b467a2ff9..9aada40100 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-audience-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-audience-graph-explorer.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include @@ -14,8 +14,8 @@ A deployment audience is a collection of devices that you want to deploy updates 1. To create a new audience, **POST** to the [deployment audience](/graph/api/resources/windowsupdates-deploymentaudience) resource with a request body of `{}`. ```msgraph-interactive - POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences - content-type: application/json + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences + content-type: application/json {} ``` @@ -35,8 +35,8 @@ A deployment audience is a collection of devices that you want to deploy updates 1. Add devices, using their **Microsoft Entra ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Microsoft Entra ID** of the device. ```msgraph-interactive - POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience - content-type: application/json + POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience + content-type: application/json { "addMembers": [ diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-business-premium-a3-licenses.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-business-premium-a3-licenses.md index 30ab466ec3..c7dc6119a0 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-business-premium-a3-licenses.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-business-premium-a3-licenses.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md index 6f2d96bdcb..9295e738d9 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include @@ -10,7 +10,7 @@ ms.localizationpriority: medium --- -It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments: +It's possible for the service to receive content approval but the content doesn't get installed on the device because of a Group Policy, CSP, or registry setting on the device. In some cases, organizations specifically configure these policies to fit their current or future needs. For instance, organizations may want to review applicable driver content, but not allow installation. Configuring this sort of behavior can be useful, especially when transitioning management of driver updates due to changing organizational needs. The following list describes driver related update policies that can affect deployments: ### Policies that exclude drivers from Windows Update for a device @@ -20,7 +20,7 @@ The following policies exclude drivers from Windows Update for a device: - **Group Policy**: `\Windows Components\Windows Update\Do not include drivers with Windows Updates` set to `enabled` - **CSP**: [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#excludewudriversinqualityupdate) set to `1` - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversFromQualityUpdates` set to `1` - - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Block` + - **Intune**: [**Windows Drivers** update setting](/mem/intune/protect/windows-update-settings#update-settings) for the update ring set to `Block` **Behavior**: Devices with driver exclusion polices that are enrolled for **drivers** and added to an audience: - Will display the applicable driver content diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-enroll-device-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-enroll-device-graph-explorer.md index 4c86165a65..95e1915162 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-enroll-device-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-enroll-device-graph-explorer.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-enterprise-e3-f3-licenses.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-enterprise-e3-f3-licenses.md index ec09838176..6e1470f0d3 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-enterprise-e3-f3-licenses.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-enterprise-e3-f3-licenses.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md index 00dc5b6ebd..8aea748977 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md index 439c49b803..a9093eab8d 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md index 8ce80d8b36..06e0756c59 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include @@ -28,6 +28,6 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G 1. Enter the request into the URL field. The version will populate automatically based on the URL. 1. If you need to modify the request body, edit the **Request body** tab. 1. Select the **Run query** button. The results will appear in the **Response** window. - + > [!TIP] > When reviewing [Microsoft Graph documentation](/graph/), you may notice example requests usually list `content-type: application/json`. Specifying `content-type` typically isn't required for Graph Explorer, but you can add it to the request by selecting the **Headers** tab and adding the `content-type` to the **Request headers** field as the **Key** and `application/json` as the **Value**. diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md index f91004dfa0..bef9475e63 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md index dc0fd1a739..afdcb3aa7c 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md index ec3fc85cbe..cb3aa08e13 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md index adc812a9a0..039e1ec718 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md @@ -1,7 +1,7 @@ --- author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.service: windows-client ms.subservice: autopatch ms.topic: include @@ -15,7 +15,7 @@ The Update Health Tools are used when you deploy expedited updates. In some case **Log location**: `%ProgramFiles%\Microsoft Update Health Tools\Logs` -- The logs are in `.etl` format. +- The logs are in `.etl` format. - Microsoft offers [PerfView as a download on GitHub](https://github.com/Microsoft/perfview/blob/main/documentation/Downloading.md), which displays `.etl` files. For more information, see [Troubleshooting expedited updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-the-most-out-of-expedited-windows-quality-updates/ba-p/3659741). diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index 2a64ebfccd..7c2e99fc4b 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -10,7 +10,7 @@ metadata: ms.topic: landing-page # Required author: tiaraquan #Required; your GitHub user alias, with correct capitalization. ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. - manager: aaroncz + manager: bpardi ms.date: 08/27/2024 #Required; mm/dd/yyyy format. ms.service: windows-client ms.subservice: autopatch diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md index 528758638d..fb05813062 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md @@ -1,17 +1,17 @@ --- title: Programmatic controls for drivers and firmware -titleSuffix: Windows Autopatch +titleSuffix: Windows Autopatch description: Use programmatic controls to deploy driver and firmware updates to devices. ms.service: windows-client ms.subservice: autopatch ms.topic: how-to author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.collection: - tier1 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 03/31/2025 @@ -87,7 +87,7 @@ To create a policy without any deployment settings, in the request body specify ```msgraph-interactive POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies content-type: application/json - + { "audience": { "id": "d39ad1ce-0123-4567-89ab-cdef01234567" @@ -129,7 +129,7 @@ To create a policy with additional settings, in the request body: ```msgraph-interactive POST https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies content-type: application/json - + { "@odata.type": "#microsoft.graph.windowsUpdates.updatePolicy", "audience": { @@ -193,7 +193,7 @@ Once Windows Autopatch has scan results from devices, the applicability for driv - The **Microsoft Entra ID** of the devices it's applicable to - Information describing the update such as the name and version. -To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`: +To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`: ```msgraph-interactive GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/applicableContent @@ -202,7 +202,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d The following truncated response displays: - An **Microsoft Entra ID** of `01234567-89ab-cdef-0123-456789abcdef` - - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` + - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` ```json "matchedDevices": [ diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md index 409b518326..ccc61e4487 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -32,7 +32,7 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto With the expanded Autopatch group capabilities, you can choose to enable Microsoft Edge updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -- Tenants that previously turned on Autopatch Microsoft Edge updates, has the Microsoft Edge updates Update Type checkbox selected, and the updated policies applied to each Autopatch group. +- Tenants that previously turned on Autopatch Microsoft Edge updates, has the Microsoft Edge updates Update Type checkbox selected, and the updated policies applied to each Autopatch group. - Tenants that previously turned off Autopatch Microsoft Edge updates, or are new to Windows Autopatch, Autopatch Microsoft Edge updates remain turned off. If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft Edge updates as a content type, the **Update Type** checkbox is **selected**, with new policies created and any available old policies are removed. If you didn’t select Microsoft Edge updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. @@ -43,11 +43,11 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. -1. Select an Autopatch group to modify (repeat these steps for each group).  -1. Next to **Update types**, select **Edit**.  -1. Select **Microsoft Edge updates**.  +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**.  +1. Select **Microsoft Edge updates**.  1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. -1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  1. Manually remove the following profiles related to Microsoft Edge 1. Windows Autopatch - Microsoft Edge Update Channel Beta 1. Windows Autopatch - Microsoft Edge Update Channel Stable @@ -61,9 +61,9 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. -1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Select an Autopatch group to modify (repeat these steps for each group).  1. Next to **Update types**, select **Edit**. -1. Unselect **Microsoft Edge updates**.  +1. Unselect **Microsoft Edge updates**.  1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. ### Verify Microsoft Edge updates policies @@ -71,14 +71,14 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch **To verify Microsoft Edge updates policies:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  1. Verify each Autopatch group has the **Microsoft Edge Update Type** checkbox **selected**. 1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. 1. The following new policies should be discoverable from the list of profiles: 1. `"Windows Autopatch Microsoft Edge Update Policy - - "` 1. The following profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Microsoft Edge Update Channel". The result should return *0 profiles filtered*. - 1. Windows Autopatch - Microsoft Edge Update Channel Beta - 1. Windows Autopatch - Microsoft Edge Update Channel Stable + 1. Windows Autopatch - Edge Update Channel Beta + 1. Windows Autopatch - Edge Update Channel Stable ### Verify Microsoft Edge updates policies are created diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md index b8eb5ff8e1..46c32145e3 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - tier2 diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md index 4646e51661..8f43772b96 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri @@ -33,12 +33,12 @@ Autopatch groups create one Windows 10 Update Ring policy for each deployment ri ## Feature update policy for Windows 10 and later -If features updates are [selected as a content type for an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), a feature update policy is created with the Microsoft Entra groups for each update ring assigned to it. This policy does the following: +If features updates are [selected as a content type for an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), a feature update policy is created with the Microsoft Entra groups for each update ring assigned to it. This policy does the following: - Ensures existing devices on the target version don’t update beyond that version. -- If new devices are added to the Autopatch group and are below your target version, the devices are updated to the target version. +- If new devices are added to the Autopatch group and are below your target version, the devices are updated to the target version. -To achieve this outcome, the feature update policy is configured for immediate start as required. +To achieve this outcome, the feature update policy is configured for immediate start as required. > [!IMPORTANT] > To safely deploy a new feature update, Autopatch recommends using a custom Windows feature update release. The custom release allows you to choose how and when different deployment rings receive the update. Autopatch doesn't recommend updating the minimum version within an Autopatch group until your rollout is complete. Doing so initiates a rollout which starts immediately for all members of that group.

Once you create a custom Windows feature update release, the Autopatch group's deployment rings are unassigned from that group’s feature update policy.

diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 4669de9482..533b8e819a 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri @@ -68,11 +68,11 @@ You can also use the CSP DisableCHPE (available on Windows Insider Preview). For > [!NOTE] > There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don’t have CHPE. -If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. +If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. ## Ineligible devices -Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. +Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant. @@ -149,7 +149,7 @@ For the latest release schedule, see the [hotpatch release notes](https://suppor ### Step 3: Verify the device is properly configured to turn on hotpatch updates -1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the **Windows Update** > **Quality Updates** page. +1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the **Windows Update** > **Quality Updates** page. 1. Ensure the hotpatch update policy is set to **Allow**. 1. On the device, select **Start** > **Settings** > **Windows Update** > **Advanced options** > **Configured update policies** > find **Enable hotpatching when available**. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index 29fc0d54bf..00072ac729 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -1,14 +1,14 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri @@ -68,6 +68,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. Edit the deferrals, deadlines, grace periods as needed 1. Edit the deployment rings as necessary 1. If you made changes, but want to start over, select **Reset to preset values [release schedule preset]**. The reset is dependent on which release schedule preset you selected in step 12. +1. Select **Next: Scope tags**. Add the scope tags you want to assign for the Autopatch group. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Create** to save your Autopatch group. @@ -90,7 +91,8 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. In the **Deployment rings** page, edit your deployment rings as necessary or select **Next: Update types**. 1. In the **Update types** page, add or remove update types as necessary, or select **Next: Deployment settings**. 1. In the **Deployment settings** page, edit the deployment settings as necessary, or select **Next: Release schedule**. -1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary. If you need to change the release schedule preset, you must create a new Autopatch group. +1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary, or select **Next: Scope tags**. If you need to change the release schedule preset, you must create a new Autopatch group. +1. In the Scope tags page, edit the scope tags as necessary, or select **Next: Review + save**. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Save** to finish editing the Autopatch group. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md index 5fb0db6f49..a02e360545 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri @@ -31,7 +31,7 @@ You can manage and control your driver and firmware updates by: The Autopatch service creates additional driver profiles on a per-deployment ring and per group basis within your tenant. -Choosing between Automatic and Manual modes can be done per-deployment ring and/or per Autopatch group. For a single Autopatch group, a mix of both Automatic and Manual policies is allowed. If you were previously in Manual mode, we create Manual policies for all your group rings. If Automatic (the default) was previously used, we create Automatic policies instead. +Choosing between Automatic and Manual modes can be done per-deployment ring and/or per Autopatch group. For a single Autopatch group, a mix of both Automatic and Manual policies is allowed. If you were previously in Manual mode, we create Manual policies for all your group rings. If Automatic (the default) was previously used, we create Automatic policies instead. > [!IMPORTANT] > If you switch between Automatic and Manual modes, new policies are generated to **replace old policies**. **You’ll lose any approvals, paused drivers, and declined drivers previously made for those groups and/or deployment rings**. @@ -67,9 +67,9 @@ Choosing between Automatic and Manual modes can be done per-deployment ring and/ For deployment rings set to **Automatic**, you can choose the deferral period for driver and firmware updates. The deferral period is the number of days that you must wait to deploy after a driver becomes available. By default, these deferral values match the values you set for your Windows quality updates. -The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period. +The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period. -The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring. +The deferral period can be set from 0 to 30 days, and it can be different for each deployment ring. > [!NOTE] > The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval. @@ -88,7 +88,7 @@ When an OEM releases a newer update version that qualifies to be the new recomme 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Devices** > **Manage updates** > **Windows updates** > **Driver updates**. 1. Select **Manage drivers for Autopatch groups** or select one of the **Drivers to review** links. -1. Select the driver or drivers you’d like to manage. +1. Select the driver or drivers you’d like to manage. 1. Select **Manage**. You can either: 1. Approve for all policies 2. Decline for all unreviewed policies @@ -128,6 +128,6 @@ These updates can include: 1. Approve for all policies 2. Decline for all unreviewed policies 3. Manage for individual policies -1. In the **Approve for all policies** dropdown, select the date to make the driver available through Windows Update. +1. In the **Approve for all policies** dropdown, select the date to make the driver available through Windows Update. 1. In the **Manage for individual policies** dropdown, select the policies to approve or decline the driver. 1. Select **Save**. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md index 820fd843d4..ab33051323 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -74,7 +74,7 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents With the expanded Autopatch group capabilities, you can choose to turn on Microsoft 365 Apps updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and the updated policies applied to each Autopatch group. +- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and the updated policies applied to each Autopatch group. - Tenants that previously turned off Autopatch Microsoft 365 Apps updates, or are new to Windows Autopatch, Autopatch Microsoft 365 Apps updates remain turned off. If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft 365 apps updates as a content type, the **Update Type** checkbox is **selected**, with new policies created, and any available old policies are removed. If you didn’t select Microsoft 365 apps updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. @@ -85,11 +85,11 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. -1. Select an Autopatch group to modify (repeat these steps for each group).  -1. Next to **Update types**, select **Edit**.  -1. Select **Microsoft 365 Apps updates**.  +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**.  +1. Select **Microsoft 365 Apps updates**.  1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. -1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  1. Manually remove the following profiles related to Microsoft 365 Apps: 1. Windows Autopatch - Office Configuration 2. Windows Autopatch - Office Update Configuration [Test] @@ -98,7 +98,7 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch 5. Windows Autopatch - Office Update Configuration [Broad] > [!NOTE] -> If you previously selected **Microsoft 365 Apps updates** when [creating an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), but your tenant isn't showing the new updates, there’s a possibility that you previously modified the policy. To ensure there are no disruptions, the Autopatch Service retains that policy. +> If you previously selected **Microsoft 365 Apps updates** when [creating an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), but your tenant isn't showing the new updates, there’s a possibility that you previously modified the policy. To ensure there are no disruptions, the Autopatch Service retains that policy. ### Turn off Microsoft 365 Apps updates @@ -106,9 +106,9 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. -1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Select an Autopatch group to modify (repeat these steps for each group).  1. Next to **Update types**, select **Edit**. -1. Unselect **Microsoft 365 Apps updates**.  +1. Unselect **Microsoft 365 Apps updates**.  1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. ### Verify Microsoft 365 Apps updates policies @@ -116,7 +116,7 @@ If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch **To verify Microsoft 365 Apps updates policies:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  1. Verify each Autopatch group has the **Microsoft 365 Apps Update Type** checkbox **selected**. 1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. 1. The following new policies should be discoverable from the list of profiles: diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md index 905c086332..ed10600ca1 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - tier2 diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md index 398823cff1..46dfc1f7a5 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md index e0eacd5946..25399d3692 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -30,7 +30,7 @@ Support requests are triaged and responded to as they're received. 1. In the **Help** section, enter your questions and/or a description of the issue. 1. Review the links that are provided to try to help with the issue. 1. If the answers that were given don't help you resolve the issue, select **Contact support** at the bottom of the page. -1. Follow the instructions to file a support request with Windows Autopatch. Make sure you provide the correct primary contact information for this specific support ticket. +1. Follow the instructions to file a support request with Windows Autopatch. Make sure you provide the correct primary contact information for this specific support ticket. 1. When you're ready, select **Contact me**. ## Premier and Unified support options diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md index 90b420fa4a..1f45b4cd66 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md index 169146d992..ea2ae965aa 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md @@ -7,11 +7,11 @@ ms.subservice: autopatch ms.topic: troubleshooting ms.author: tiaraquan author: tiaraquan -manager: aaroncz +manager: bpardi ms.collection: - tier1 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 03/31/2025 diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md index 64e0d1e9f7..32c3aa63d8 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index 6e8f9565bc..ae36283b57 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,14 +1,14 @@ --- title: Windows feature updates overview description: This article explains how Windows feature updates are managed -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri @@ -39,6 +39,7 @@ The release statuses are described in the following table: | Inactive | All the Autopatch groups within the release are assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |
  • Release can be viewed as a historical record.
  • Releases can't be deleted, edited, or canceled.
| | Paused | All phases in the release are paused. The release remains paused until you resume it. |
  • Releases with the Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.
  • Release can be resumed.
| | Canceled | All phases in the release are canceled. |
  • Releases with the Canceled status can't be edited or canceled since the Windows feature update policy wasn't created for its phases.
  • Canceled release can't be deleted.
| +| Assignment error | The release is scheduled but one or more policies aren't assigned. The user that created the release doesn't have the required permissions to assign one or more policies because the selected Autopatch group isn't in their Scoped Group. Contact the Intune administrator or Role administrator to complete steps in [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). | #### Phase statuses @@ -54,6 +55,7 @@ A phase is made of one or more [Autopatch group deployment rings](../deploy/wind | Inactive | All Autopatch groups within the phase are reassigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | | Paused | Phase is paused. You must resume the phase. | | Canceled | Phase is canceled. All Autopatch groups within the phase can be used with a new release. A phase that is canceled can't be deleted. | +| Assignment error | The phase is scheduled but the policy isn't assigned. The user that created the policy doesn't have the required permissions to assign the policy because the selected Autopatch group isn't in their Scoped Group. Contact the Intune Administrator or Role administrator to complete steps in [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). | #### Phase policy configuration diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md index f2c2a7eba4..ac081febb5 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md @@ -1,17 +1,17 @@ --- -title: Programmatic controls for feature updates +title: Programmatic controls for feature updates titleSuffix: Windows Autopatch -description: Use programmatic controls to deploy feature updates to devices in your organization. +description: Use programmatic controls to deploy feature updates to devices in your organization. ms.service: windows-client ms.subservice: autopatch ms.topic: how-to ms.author: tiaraquan author: tiaraquan -manager: aaroncz +manager: bpardi ms.collection: - tier1 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 03/31/2025 @@ -101,7 +101,7 @@ The following truncated response displays a **Catalog ID** of `d9049ddb-0ca8-4b ## Create a deployment -When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`): +When creating a deployment for a feature update, there are multiple options available to define how the deployment behaves. The deployment and monitoring settings are optional. The following [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) are defined in the example request body for deploying the Windows 11, version 22H2 feature update (**Catalog ID** of `d9049ddb-0ca8-4bc1-bd3c-41a456ef300f`): - Deployment [start date](/graph/api/resources/windowsupdates-schedulesettings) of February 14, 2023 at 5 AM UTC - [Gradual rollout](/graph/api/resources/windowsupdates-gradualrolloutsettings) at a rate of 100 devices every three days @@ -207,7 +207,7 @@ The response body contains: To [update deployment](/graph/api/windowsupdates-deployment-update), PATCH the deployment resource by its **Deployment ID** and supply the updated settings in the request body. The following example keeps the existing gradual rollout settings that were defined when creating the deployment but changes the deployment start date to February 28, 2023 at 5 AM UTC: -```msgraph-interactive +```msgraph-interactive PATCH https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-3456-7890-abcd-ef1234567890 content-type: application/json @@ -235,7 +235,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12- ## Add members to the deployment audience -The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update is offered. +The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update is offered. The following example adds three devices to the deployment audience using the **Microsoft Entra ID** for each device: diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md index 2bd9cc5d2a..fa9975bbe2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md @@ -8,7 +8,7 @@ ms.topic: article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index cf8bd182c2..71fb519196 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -8,7 +8,7 @@ ms.topic: article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md index 721d6a1169..1a3601e895 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md @@ -1,17 +1,17 @@ --- title: Programmatic controls for expedited Windows quality updates titleSuffix: Windows Autopatch -description: Use programmatic controls to deploy expedited Windows quality updates to devices in your organization. +description: Use programmatic controls to deploy expedited Windows quality updates to devices in your organization. ms.service: windows-client ms.subservice: autopatch ms.topic: how-to ms.author: tiaraquan author: tiaraquan -manager: aaroncz +manager: bpardi ms.collection: - tier1 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 ms.date: 03/31/2025 diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md index 65aded1caa..77d49bb638 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - tier2 diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md index 67ddbea0cc..4717245285 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md index fa37013aee..fc059e1628 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md index aacf1432f3..3b897a5d7e 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: smithcharles ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md index d30db0518d..f3c04346b1 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: rekhanr ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md index 6b5547677d..84ce500a5d 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -37,20 +37,20 @@ With this feature, IT admins can view: Alerts are raised when devices report policy conflicts. Autopatch policies are assigned to Autopatch groups. Devices that are members of Autopatch groups are expected to receive only Windows Autopatch policies. -Once you resolve the conflict, it can take effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated. +Once you resolve the conflict, it can take effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated. > [!NOTE] > This view only includes policy conflicts between Microsoft Intune policies. This view doesn't include policy issues caused by other configurations, for example, group policy settings, registry settings that are changed by scripts and prevent Windows Autopatch from deploying updates.

When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md).

To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).

## Policy conflict view -This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-view-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-view-alert-details). +This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-view-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-view-alert-details). -If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. +If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. **To view all policies conflicting with the Expected policies:** -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Managed updates** > **Windows Updates** > **Monitor** > **Policy health**. 3. In the **Policy conflicts** tab, the list of expected policies and conflicting policies is displayed. 4. Select **View alert** and review the details of the **Recommended action** and alert details. @@ -70,7 +70,7 @@ All alerts displayed in this flyout include the following details. You must revi ## Affected devices view -This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-view-alert-details). It's possible for devices to have multiple conflicting policies, due to their membership in various groups. +This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-view-alert-details). It's possible for devices to have multiple conflicting policies, due to their membership in various groups. You can navigate to this view from the Affected devices column link in the [Policy conflicts view](#policy-conflict-view), or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index f99254cf03..02cde19481 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index cd3667a8a2..bf5478ec2f 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md index 674f5de9cc..838f68b2b2 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: andredm7 ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index 66f0f3e54c..1bcf9e530a 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,14 +1,14 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri @@ -26,6 +26,23 @@ Windows Autopatch requires, and uses Windows diagnostic data to display device u This data collection configuration method using Windows diagnostic data in Intune is shared across Autopatch reports. To support Autopatch reporting, you must configure the [Enable Windows diagnostic data collection settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) from devices at the **Required** or higher level. +### Permissions and scope to view reports  + +To view Windows Update reports, you must be assigned an Intune role with the **Device Configuration** > **View reports** permission. This permission is included in the following built-in roles: + +- Policy and Profile Manager +- Read Only Operator +- Helpdesk Operator + +In addition, the following roles have **Reports** > **Read permissions**. This permission is included in the following built-in roles, to access Windows Autopatch reports. + +- Windows Autopatch Administrator +- Windows Autopatch reader + +The report displays data based on device scope tags only. Therefore, Windows Update reports might include Update policies and Autopatch group information that aren't in the same scope as the device. For more information, see [role-based access control](../prepare/windows-autopatch-role-based-access-control.md) in Windows Autopatch. + +To ensure accurate display of reports information, ensure that the Autopatch groups, update policies are accurately assigned to the same scope as the device. + ## Windows quality update reports The Windows quality reports provide you with information about: diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index e310b53f31..cc03f4230d 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 0d0528d557..1c300459fb 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md index 7ac39cf891..8dbd49f9b0 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index b23c1587ec..0864fdc6ac 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -7,7 +7,7 @@ metadata: ms.date: 04/21/2025 audience: itpro ms.localizationpriority: medium - manager: aaroncz + manager: bpardi author: tiaraquan ms.author: tiaraquan ms.reviwer: hathind @@ -16,19 +16,19 @@ title: Frequently Asked Questions about Windows Autopatch summary: This article answers frequently asked questions about Windows Autopatch. sections: - name: General - questions: + questions: - question: Is Windows 365 for Enterprise supported with Windows Autopatch? answer: | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported. - question: Will Windows Autopatch support local domain join Windows 10? answer: | - Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Microsoft Hybrid Entra join](/entra/identity/devices/concept-hybrid-join) or [Microsoft Entra join](/entra/identity/devices/concept-directory-join). + Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Microsoft Hybrid Entra join](/entra/identity/devices/concept-hybrid-join) or [Microsoft Entra join](/entra/identity/devices/concept-directory-join). - question: Will Windows Autopatch be available for state and local government customers? answer: | Windows Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported. - question: How do I access Windows Autopatch? - answer: | - You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-start-using-autopatch.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements. + answer: | + You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-start-using-autopatch.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements. - name: Requirements questions: - question: What are the licensing requirements for Windows Autopatch? @@ -55,8 +55,8 @@ sections: answer: | No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/whats-new/windows-11-requirements). Windows devices must be supported by your hardware OEM. - name: Device registration - questions: - - question: Who can register devices into Windows Autopatch? + questions: + - question: Who can register devices into Windows Autopatch? answer: | If you have Business Premium, A3+, E3+ and F3 licenses, you can register devices into Windows Autopatch. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device? @@ -77,7 +77,7 @@ sections: - name: Manage updates questions: - question: Who can manage updates with Windows Autopatch? - answer: | + answer: | Business Premium, A3+, E3+ and F3 licenses can manage updates with Windows Autopatch. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - question: What systems does Windows Autopatch update? answer: | @@ -100,12 +100,12 @@ sections: - question: What is the expected behavior for turning on the Feature Update option for Autopatch groups? answer: | Starting in April 2025, default policies aren't created for new Autopatch customers. Existing customers will continue to receive support until Windows 10 reaches its End-of-Service (EOS). However, these policies won't transition to Windows 11. - + If you created an Autopatch group before April 2025: - The Feature Update option is unselected by default. - Selecting the Feature Update option creates a feature update policy for the newly created Autopatch group. This doesn't affect the Global DSS policy. - The Feature Update option doesn't affect existing releases created before April 2025; these releases remain unchanged - + If you created an Autopatch group after April 2025: - Selecting the Feature Update option creates a feature update policy and assigns it to all its deployment rings. - Global DSS policy isn't affected. @@ -122,7 +122,7 @@ sections: Yes, hotpatch updates are available for Arm64 devices. For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](../manage/windows-autopatch-hotpatch-updates.md#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only)). - question: What is the default hotpatch behavior on Windows Home or Pro devices? answer: | - Hotpatch updates aren't available to Home or Pro devices. Hotpatching requires domain admin or group policy. It's available only via Windows Autopatch update policy, which includes Windows 365 Enterprise, E3/E5, F3 and A3/A5 licenses. + Hotpatch updates aren't available to Home or Pro devices. Hotpatching requires domain admin or group policy. It's available only via Windows Autopatch update policy, which includes Windows 365 Enterprise, E3/E5, F3 and A3/A5 licenses. - question: How do I enroll devices to receive hotpatch updates? answer: | For more information, see [Enroll devices to receive hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md#enroll-devices-to-receive-hotpatch-updates). @@ -137,13 +137,13 @@ sections: Devices receiving the hotpatch update have a different KB number tracking the release and a different OS version than devices receiving the standard update that requires a restart. The monthly KB release articles indicate if the KB installed is hotpatch capable and the corresponding OS version. The following Windows Update message appears “Great news! The latest security update was installed without a restart.” - question: What if I restart a device after receiving a hotpatch update? answer: | - The device stays on the hotpatch update KB/OS version after a restart. It won't receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update. + The device stays on the hotpatch update KB/OS version after a restart. It won't receive any new features as part of the regular servicing track until the next quarterly cumulative baseline update. - question: Do hotpatch updates only update common system binaries loaded in third-party processes or only Microsoft processes? answer: | - Hotpatch updates aren't limited to Microsoft processes. Hotpatch updates are only created for OS binaries. Any process loading OS binaries that have hotpatch updates installed are updated before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll. + Hotpatch updates aren't limited to Microsoft processes. Hotpatch updates are only created for OS binaries. Any process loading OS binaries that have hotpatch updates installed are updated before the application or operating system uses the binaries. This includes common system dynamic link libraries (DLLs) like ntdll.dll. - question: How can I find out if a hotpatch update was applied to the specific DLL? - answer: | - You can see the hotpatch modules in the memory dump. Symbols for hotpatched DLLs depend on the function that receives the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols). + answer: | + You can see the hotpatch modules in the memory dump. Symbols for hotpatched DLLs depend on the function that receives the update. Some code that is hotpatch-updated could be public (symbols), while other functions could be private (no symbols). - question: Are there kernel-mode hotpatch updates? answer: | Yes, there are kernel-mode hotpatch updates. @@ -155,7 +155,7 @@ sections: Yes, you can. You can manually download the standard Windows monthly update from the Microsoft Update Catalog. In this case, the device stops receiving hotpatch updates and receives standard Windows updates until the month after the next baseline update. Since the device is still enrolled in hotpatching, the device automatically rejoins the hotpatch cadence of updates after the update is released on the baseline month. - question: How do hotpatch update events show up in audit logs? answer: | - Process explorer shows it loaded in memory OS ``_hotpatch`` loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload. + Process explorer shows it loaded in memory OS ``_hotpatch`` loaded in memory. The hotpatch update KB includes a link to the CSV file listing the update payload. - question: Can I get security alerts through Event Tracing for Windows (ETW) about hotpatch updates? answer: | Hotpatch events are captured in the audit log. Search for “hotpatch” in the audit log to find related errors if any were captured. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index df6f012de8..d2676895dd 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -8,7 +8,7 @@ ms.topic: overview ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.collection: - highpri - tier1 @@ -43,6 +43,7 @@ The goal of Windows Autopatch is to deliver software updates to registered devic | Features included with Business Premium, A3+, E3+ and F3 licenses | Description | | --- | --- | +| [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) | Use role-based access control in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to manage who has access to your organization's resources and what they can do with those resources. | | [Update rings](../manage/windows-autopatch-update-rings.md) | You can manage Update rings for Windows 10 and later devices with Windows Autopatch. For more information, see [Manage Update rings](../manage/windows-autopatch-update-rings.md). | | [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) | You can manage update deployment based on your audience.

An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).

For more information about workloads supported by Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).

| | [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. Windows Autopatch:
  • Aims to keep at least 95% of [Up to Date devices](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. For more information, see [Windows quality update Service Level Objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
| diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 7a2f526a80..0042d35d3f 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index f1b9194cc1..c3ad416595 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - tier2 diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index e8847397bb..83af9ee276 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -107,23 +107,4 @@ The following Windows editions, build version, and architecture **applies if you ## Required Intune permissions -Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions: - -- **Device configurations**: - - Assign - - Create - - Delete - - View Reports - - Update -- Read - -You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one of the built-in **Policy and Profile manager** roles, which include these rights. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). The Intune Service Administrator role is required to access and use all capabilities under: - - - Tenant administration > Windows Autopatch - - Devices > Manage updates > Windows updates - - [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report) - -The **Intune Service Administrator** role is required to register devices, manage your update deployments, and reporting tasks. - -> [!TIP] -> For more information, see [assign an owner of member of a group in Microsoft Entra ID](/entra/id-governance/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group). +For more information on roles and permissions, see [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) in Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-role-based-access-control.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-role-based-access-control.md new file mode 100644 index 0000000000..c1954e0537 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-role-based-access-control.md @@ -0,0 +1,183 @@ +--- +title: Role-based access control +description: This article provides an overview on role-based access control in Windows Autopatch +ms.date: 05/27/2025 +ms.service: windows-client +ms.subservice: autopatch +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: bpardi +ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 +--- + +# Role-based access control + +Use role-based access control in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to manage who has access to your organization's resources and what they can do with those resources. + +## Built-in roles + +Windows Autopatch enables role-based access control to use the least privileged access to distribute and delegate Windows Update management in Microsoft Intune. + +> [!IMPORTANT] +> To successfully manage Windows Autopatch as a lower privilege role, the user must have both Autopatch Admin permissions and Policy and Profile admin permissions. + +The permissions defined in Windows Autopatch administrator or Windows Autopatch reader roles are used to manage Autopatch groups, support requests, Autopatch messages, and Autopatch reports. + +To manage update policies and Windows Update reports, Device Configuration permission is **required**. This permission is available in built-in roles such as the Policy and Profile Manager roles. + +### Policy and Profile Manager roles + +Policy and Profile Manager roles include device configuration permissions for managing Intune policies including the following Update policies: + +- Update rings +- Quality updates +- Feature updates +- Driver updates + +### Windows Autopatch Administrator + +The Windows Autopatch Administrator role manages all aspects of Windows Autopatch: + +- [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) +- [Autopatch reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) + - Quality and feature update status and trending reports +- [Support requests and messages](../manage/windows-autopatch-support-request.md) + +### Windows Autopatch Reader + +Windows Autopatch Reader can view Windows Autopatch data available in Microsoft Intune but can't make changes. + +### Update policy roles + +To manage Windows quality update, update rings, Windows feature update, driver update, Microsoft 365 Apps, and Microsoft Edge policies the user must have full [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager). The following table is the full list of update management roles: + +| Intune role | Update policies | +| --- | --- | +| Policy & Profile Manager | Read/Write | +| Helpdesk Operator | Read | +| Read-only Operator | Read | +| Autopatch Administrator | No permission | +| Autopatch Reader | No permission | + +To successfully manage Windows Autopatch as a lower privilege role, the user must have both Autopatch Admin permissions and the Policy and Profile admin permissions. + +### Microsoft Entra roles + +The following Microsoft Entra roles can access Windows Autopatch features via the Microsoft Intune portal. + +| Microsoft Entra role | All Windows Autopatch data | Tenant Administration > Windows Autopatch | +| --- | --- | --- | +| Global Administrator | Read/Write | Read/Write | +| Intune Service Administrator | Read/Write | Read/Write | +| Global Reader | Read | Read | +| Service Support Administrator | No permission | Read

Tenant Administration/Windows Autopatch/All

| +| Security Admin | No permission | Read

Tenant Administration/Windows Autopatch/All

| +| Security Reader | No permission | Read

Tenant Administration/Windows Autopatch/All

| +| Billing Administrator | No permission | Read

Tenant Administration/Windows Autopatch/All

| +| Helpdesk Administrator | No permission | Read

Tenant Administration/Windows Autopatch/All

| + +### Custom roles + +You can create two custom roles that include permissions required for a specific job role. + +To achieve all-up update management, make sure that the groups assigned to the Autopatch custom role are also a member of the [Policy & Profile Manager role](#policy-and-profile-manager-roles) or a custom role with equivalent permissions. + +Navigate to **Tenant Administration** > **Roles** > **Create Custom role** > **Windows Autopatch** to create a custom role. + +| Permission | Description | +| --- | --- | +| Role Assignments/Create | Create an Autopatch role for operations that are performed on Autopatch resources. | +| Role Assignments/Update | Update role for Autopatch, where Edit operations are performed on Autopatch resources. | +| Role Assignments/Delete | Delete role for Autopatch, where delete operations are performed on Autopatch resources. | +| Roles/Read | View permissions, role definitions, and role assignments for Autopatch role. View operation or actions are performed on Autopatch resources. | +| Autopatch Groups/Read | Read Autopatch groups and its properties. | +| Autopatch Groups/Create | Create Autopatch groups, add group assignments, and configure release settings. | +| Autopatch Groups/Edit | Edit Autopatch groups, modify release settings, and manage group assignments. | +| Autopatch Groups/Delete | Delete Autopatch groups. | +| Reports/Read | Read and export Autopatch quality and feature update reports. | +| Reports/DiscoverDevices | Allows Device report action to discover devices. | +| Reports/AssignRing | Allows Device ring assignment to Autopatch groups. | +| Reports/ExcludeDevices | Perform exclude devices action on the Device reports. | +| Reports/RestoreExcludedDevices | Perform Restore action on the Device reports. | +| Support requests/Read | Read existing Autopatch support requests and responses. | +| Messages/Read | Read published Autopatch and Service Health Dashboard messages. | + +### Scopes + +Windows Autopatch supports Intune scope tags and scoped groups to be used for distributed update management. Use Microsoft Intune to create and manage scope tags. + +- Windows Autopatch supports Intune scope for Autopatch groups, Autopatch role assignments, update policies, and reports. +- Autopatch messages, support, and Admin contacts don't support scopes. +- Autopatch groups created by scoped admins are assigned to the same scope tags as the user. +- Only scoped admins, with the same scope tags assigned to them, can edit and manage Autopatch groups. +- When you create Autopatch groups and assign scope tags, the update policies created inherit the same scope tags. +- The devices assigned to Autopatch groups don't inherit the Autopatch group scope tags. Use Intune to assign scope tag to devices. + +## Permissions for Autopatch groups + +Autopatch groups create Microsoft Entra groups and update policies and assign the policies to the group as part of its workflow. To successfully complete the workflow, both permissions are **required**. The option to create Autopatch groups is only available when the user has both the permissions enabled. + +1. Device Configuration, **all** permissions +2. Windows Autopatch group, **all** permissions + +Windows Autopatch groups that are assigned scoped tags are only visible to users with those exact scope tags. This ensures the IT admin can manage the ring-based rollouts using Autopatch groups and aren't affected by scope discrepancies. + +> [!NOTE] +> The Autopatch group workflow creates deployment rings and assigns update policies to them. If the Autopatch role includes All devices in scope, the policy administration role must have [All devices and All Users](/intune/intune-service/fundamentals/role-based-access-control#role-assignments) in its scope.

Lack of Microsoft Entra permissions can prevent the logged-in user from creating Groups. The user must have sufficient permission to create Groups. For more information, see [How to set up self-service group management](/entra/identity/users/groups-self-service-management#make-a-group-available-for-user-self-service) or [Create Groups permissions](/entra/identity/role-based-access-control/custom-group-permissions#create-groups).

+ +When the user is assigned scoped groups, they can only assign scoped groups for distribution into deployment rings. + +## Scoped admins and Autopatch groups + +In Intune scoped admins, only an admin user that is assigned specific scope tags and Scoped Groups, can assign policies only to Scoped Groups. + +> [!NOTE] +> Intune administrators or update administrators with All devices and All users scopes can't see the Pending assignment workflow; this only affects roles that have scopes assigned through specific Scoped Groups. + +### Scoped admins and Autopatch group workflow + +As part of the Autopatch group creation workflow, Windows Autopatch creates Microsoft Entra groups and update policies for the selected deployment settings. To assign the update policies to the newly created deployment rings, you must include the Autopatch group as a Scoped Group in the role that contains [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager). + +> [!NOTE] +> An Intune administrator or a Role Administrator must assign the newly created Windows Autopatch group as a scoped group before the Autopatch group can be used by the scoped Admin.

Once the Autopatch group, in **Pending Assignment** status, is added as a scoped group, the scoped admin can assign the update policies the Autopatch group becomes **Active**.

+ +The following table explains the high-level workflow: + +| Step | Description | Who | +| --- | --- | --- | +| Step 1: Create an Autopatch group | Create an Autopatch group. Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group).

The Autopatch group, deployment rings, and the update policies are created.

You can view the [update policies](/intune/intune-service/protect/windows-10-update-rings) under Windows updates.

| Scoped admin | +| Step 2: Contact your Intune Administrator or Role administrator to assign the Autopatch parent group as a Scoped Group for your role | Include the following information:
  • The name of the Autopatch parent group. Select the **Pending Assignment** status flyout to find the name.
  • Your Intune role that has Device Configuration permissions for update management
| Scoped admin | +| Step 3: Assign the Autopatch parent group as the Scoped Group for the role with Device Configuration permission | Add the Autopatch parent as the Scoped Group using [Assign scoped group](/intune/intune-service/fundamentals/scope-tags#to-assign-a-scope-tag-to-a-ro). | Intune Administrator or Intune Role Administrator | +| Step 4: Complete the policy assignments so Autopatch groups are ready for use | Select **Complete group assignments** if the Autopatch group remains in Pending assignment status, and the Assign scoped group step isn't yet complete.

Once the policy assignment is successful, the Autopatch group is set to **Active** and ready for use.

The Scoped group assignment might not be immediately available. It might take up to 10 minutes to take effect.

| Scoped admin | + +### Assign scope tags to Autopatch groups + +> [!NOTE] +> If you're assigning scope tags to existing Autopatch groups, the scope admin must be included as a Scoped Group in their role with [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager) to manage the Autopatch group.

Windows Autopatch creates a parent group that nests the Autopatch group and deployment rings which can be added as the Scoped Group. You can find the parent group name in the Autopatch group properties.

+ +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Tenant Administration** > **Autopatch groups** > **select a group**. All rings and policies of the Autopatch group have the same scope. +1. In the **Add group to ring** option, select the Microsoft Entra groups to be assigned to the Autopatch group. Only groups with scope objects are available for selection. +1. Navigate to **Properties** > **Scope (Tags)** > **Edit** > **Select scope tags** > select the tags that you want to add to the profile. You can assign a **maximum of 100 scope tags** to an object. + 1. The **Scope Group** section is displayed when the service detects Autopatch groups that are created before role-based access controls. This indicates that a Microsoft Entra group is created, which can be added as a Scoped Group. A scoped admin can manage this Autopatch group if included in their scope. + 2. Follow the steps in the [Scoped admins and Autopatch group workflow](#scoped-admins-and-autopatch-group-workflow) section to assign scoped groups. +1. Select **Review + save**. + +## Known issues + +Windows 365 Enterprise gives IT admins the option to [register devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md#windows-autopatch-on-windows-365-enterprise-workloads) as part of the Windows 365 provisioning policy creation. You must be an Intune Service administrator to complete this action. + +### General troubleshooting + +| Scenario | Message | Cause | Solution | +| --- | --- | --- | --- | +| You receive an error message when you try to [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), [edit](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group), or [delete an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#delete-an-autopatch-group). | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment.

Or

The Autopatch group submission failed, and the logged in user has scope tags assigned.

| The problem occurs when you edit an Autopatch group, and the service detected a mismatch in your scope tags. | Verify the scope tags assigned to the Autopatch group and Policy assignment role. The Policy assignment role might have more scope tags but must include **all** the scope tags assigned to the Autopatch group. | +| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient permission, or the scope required to assign devices. | The problem occurs when Autopatch is unable to populate the Autopatch group list, because of a mismatch in scope tags. | Verify the scope tags for the Autopatch groups and your role. Ensure they share at least **one** scope tag. | +| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient Autopatch group permission to complete this action. The minimum of Autopatch Group Read permission is required. | To move devices between Autopatch deployment rings, you need permission to read Autopatch groups. | Ensure your role includes **Autopatch Group/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You receive an error message when you select a device in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | Access Denied | You don't have the Intune permission to view the properties of the device. | Ensure your role includes **Managed devices/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You can only see the **Releases**, **Update rings**, and **Monitor** tabs when logged in as a delegated Windows Autopatch administrator. | | You don't have all the required permission to view Windows Update. | Ensure your role includes **Organization/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You receive an error message when you try to edit a preexisting Autopatch group that was newly assigned a scope tag. You successfully added the parent scope group into the Policy assignment role. | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment. | The issue occurs when the service detects that the logged in user "Assigned Entra Group" isn't in the scoped group for the Autopatch admin role. This happens with preexisting Autopatch groups. | Add the Assigned Entra group as the scoped group to the Autopatch admin role. | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md index 78381a1502..bddd8a49f6 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md @@ -8,7 +8,7 @@ ms.topic: how-to ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index 176db43f98..28b73303b8 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -8,7 +8,7 @@ ms.topic: concept-article ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: adnich ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md index d18412ab3c..b3c834dda4 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md @@ -8,7 +8,7 @@ ms.topic: legal ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi msreviewer: hathind --- diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md index fbf6ff1953..3fa0801a4f 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md @@ -8,7 +8,7 @@ ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind --- diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 7a603bbfc4..864befa507 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -8,7 +8,7 @@ ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md index 1133d289ab..14a5cb4361 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md @@ -8,7 +8,7 @@ ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md index 4754455eb7..8c95c4a13f 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md @@ -1,14 +1,14 @@ --- title: What's new 2025 description: This article lists the 2025 feature releases and any corresponding Message center post numbers. -ms.date: 04/11/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: whats-new ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan -manager: aaroncz +manager: bpardi ms.reviewer: hathind ms.collection: - highpri @@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## May 2025 + +### May feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) | Added [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) article. Other articles updated with this feature:
  • Register devices > added note to [Autopatch group membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report) section
  • Manage Autopatch groups > added Scope tag steps to [Create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) sections
  • Windows feature update overview > added Assignment error definition to [Release](../manage/windows-autopatch-windows-feature-update-overview.md#release-statuses) and [Phase statuses](../manage/windows-autopatch-windows-feature-update-overview.md#phase-statuses) sections
  • Windows quality and feature update reports overview > added [Permissions and scope to view reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#permissions-and-scope-to-view-reports) section
| + ## April 2025 ### April feature releases or updates diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 22734dbc08..3ab4371a1e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -1,7 +1,7 @@ --- title: Windows deployment scenarios and tools description: Learn about the tools that can be used to deploy Windows and related applications to your organization. Explore deployment scenarios. -manager: aaroncz +manager: bpardi ms.author: frankroj author: frankroj ms.service: windows-client @@ -87,7 +87,7 @@ By default USMT migrates many settings, most of which are related to the user pr - The following specific file types: `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*` - + > [!NOTE] > > - The asterisk (`*`) stands for zero or more characters. diff --git a/windows/deployment/windows-deployment-scenarios.md b/windows/deployment/windows-deployment-scenarios.md index faec964678..2534797dcd 100644 --- a/windows/deployment/windows-deployment-scenarios.md +++ b/windows/deployment/windows-deployment-scenarios.md @@ -1,7 +1,7 @@ --- title: Windows deployment scenarios description: Understand the different ways Windows operating system can be deployed in an organization. Explore several Windows deployment scenarios. -manager: aaroncz +manager: bpardi ms.author: frankroj author: frankroj ms.service: windows-client diff --git a/windows/deployment/windows-missing-fonts.md b/windows/deployment/windows-missing-fonts.md index 11091fa358..57e303cb72 100644 --- a/windows/deployment/windows-missing-fonts.md +++ b/windows/deployment/windows-missing-fonts.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.author: frankroj -manager: aaroncz +manager: bpardi ms.topic: how-to ms.date: 02/27/2025 ms.subservice: itpro-deploy diff --git a/windows/hub/index.yml b/windows/hub/index.yml index a20075e2cf..c235a498e4 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -12,9 +12,9 @@ metadata: ms.collection: - tier1 - essentials-navigation - author: aczechowski - ms.author: aaroncz - manager: aaroncz + author: blokpardi + ms.author: bpardi + manager: bpardi ms.date: 10/01/2024 highlightedContent: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index d2e845de5d..e53371cea5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/01/2024 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index e367317ea5..03826eaa26 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,14 +1,15 @@ --- description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) +title: Configure Windows diagnostic data in your organization ms.service: windows-client ms.subservice: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 03/11/2016 +ms.date: 05/30/2025 ms.topic: how-to +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -26,7 +27,7 @@ ms.collection: - Windows 10 Professional - Windows Server 2016 and later - Surface Hub -- Hololens +- HoloLens This article describes the types of Windows diagnostic data sent back to Microsoft and the ways you can manage it within your organization. Microsoft uses the data to quickly identify and address issues affecting its customers. @@ -34,7 +35,7 @@ This article describes the types of Windows diagnostic data sent back to Microso Microsoft collects Windows diagnostic data to solve problems and to keep Windows up to date, secure, and operating properly. It also helps us improve Windows and related Microsoft products and services and, for customers who have turned on the **Tailored experiences** setting, to provide more relevant tips and recommendations to enhance Microsoft and third-party products and services for each customer’s needs. -For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy). +For more information about how Windows diagnostic data is used, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/28808a2b-a31b-dd73-dcd3-4559a5199319). ### Diagnostic data gives users a voice @@ -48,13 +49,13 @@ For example, in an earlier version of Windows there was a version of a video dri ### _Improve end-user productivity_ -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls. +Windows diagnostic data also helps Microsoft better understand how customers use (or don't use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls. - **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. - **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between apps. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they didn't know about it previously. Based on this, we created the Task View button in Windows to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. ## How Microsoft handles diagnostic data @@ -72,7 +73,7 @@ Depending on the diagnostic data settings on the device, diagnostic data can be Later in this document we provide further details about how to control what’s collected and what data can be included in these different types of diagnostic data. -As of March 6, 2024, Microsoft Edge diagnostic data is collected separately from Windows diagnostic data on Windows 10 (version 22H2 and newer) and Windows 11 (version 23H2 and newer) devices in the European Economic Area. The collection of Microsoft Edge diagnostic data is subject to its own settings. For more information related to this change, see [Microsoft Edge, browsing data, and privacy](https://support.microsoft.com/windows/bb8174ba-9d73-dcf2-9b4a-c582b4e640dd). +As of March 6, 2024, Microsoft Edge diagnostic data is collected separately from Windows diagnostic data on Windows 10 (version 22H2 and newer) and Windows 11 (version 23H2 and newer) devices in the European Economic Area. The collection of Microsoft Edge diagnostic data is subject to its own settings. For more information related to this change, see [Microsoft Edge, browsing data, and privacy](https://support.microsoft.com/microsoft-edge/bb8174ba-9d73-dcf2-9b4a-c582b4e640dd). ### Data transmission @@ -86,9 +87,9 @@ The following table lists the endpoints related to how you can manage the collec | - | - | |Connected User Experiences and Telemetry | v10.events.data.microsoft.com

v10c.events.data.microsoft.com

v10.vortex-win.data.microsoft.com | | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net | -|Authentication | login.live.com



IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.| +|Authentication | login.live.com



IMPORTANT: This endpoint is used for device authentication. We don't recommend disabling this endpoint.| | [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com

oca.microsoft.com

kmwatsonc.events.data.microsoft.com

*-kmwatsonc.events.data.microsoft.com | -|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is required to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft, or to enroll a device in the Windows diagnostic data processor configuration. Do not block access to this endpoint. This endpoint does not upload Windows diagnostic data. | +|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is required to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft, or to enroll a device in the Windows diagnostic data processor configuration. Don't block access to this endpoint. This endpoint doesn't upload Windows diagnostic data. | ### Proxy server authentication @@ -109,7 +110,7 @@ Configure devices to use the signed-in user's context for proxy authentication. - Make sure that the users have proxy permission to reach the diagnostic data endpoints. This option requires that the devices have console users with proxy permissions, so you can't use this method with headless devices. > [!IMPORTANT] -> The user proxy authentication approach is incompatible with the use of Microsoft Defender for Endpoint. This behavior is because this authentication relies on the **DisableEnterpriseAuthProxy** registry key set to `0`, while Microsoft Defender for Endpoint requires it to be set to `1`. For more information, see [Configure machine proxy and internet connectivity settings in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection). +> The user proxy authentication approach is incompatible with the use of Microsoft Defender for Endpoint. This behavior is because this authentication relies on the **DisableEnterpriseAuthProxy** registry key set to `0`, while Microsoft Defender for Endpoint requires it to be set to `1`. For more information, see [Configure your devices to connect to the Defender for Endpoint service using a proxy](/defender-endpoint/configure-proxy-internet). #### Device proxy authentication @@ -139,11 +140,11 @@ This approach is the most complex because it requires the following configuratio ### Data access -The principle of least privileged access guides access to Windows diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://www.microsoft.com/privacy/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. +The principle of least privileged access guides access to Windows diagnostic data. Microsoft doesn't share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement). Microsoft may share business reports with hardware manufacturers and third-party partners that include aggregated and deidentified diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. ### Retention -Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement). +Microsoft believes in and practices data minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. For more information on how long data is retained, see the section named **Our retention of personal data** in the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainOurretentionofpersonaldatamodule). ## Diagnostic data settings @@ -151,7 +152,7 @@ There are four diagnostic data collection settings. Each setting is described in - Diagnostic data off (Security) - Required diagnostic data (Basic) -- Enhanced (This setting is only available on devices running Windows 10, Windows Server 2016, and Windows Server 2019.) +- Enhanced (This setting is only available on devices running Windows 10 version 1809 and earlier, Windows Server 2016, and Windows Server 2019.) - Optional diagnostic data (Full) Here’s a summary of the types of data that is included with each setting: @@ -172,13 +173,13 @@ This setting was previously labeled as **Security**. When you configure this set This was the default setting for Windows Server 2022 Datacenter: Azure Edition prior to December 13, 2022. >[!NOTE] -> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. +> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures isn't sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. ### Required diagnostic data Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. -This is the default setting for current releases of Windows, Windows 10, version 1903. Beginning December 13, 2022, it is also the default setting for Windows Server 2022 Datacenter: Azure Edition. +This is the default setting for Windows 10, version 1903 and later. Beginning December 13, 2022, it's also the default setting for Windows Server 2022 Datacenter: Azure Edition. Required diagnostic data includes: @@ -208,10 +209,10 @@ Required diagnostic data includes: ### Enhanced diagnostic data -In Windows 10 and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. +In Windows 10 (version 1809 and earlier) and Windows Server 2019, enhanced diagnostic data includes data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. >[!Important] ->This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are available in the **Manage diagnostic data using Group Policy and MDM** section of this topic. +>This diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. More information on these settings are available in the [Manage diagnostic data using Group Policy and MDM](#manage-diagnostic-data-using-group-policy-and-mdm) section of this article. When you choose to send enhanced diagnostic data, required diagnostic data will always be included, and we collect the following additional information: @@ -245,7 +246,11 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization. >[!IMPORTANT] ->These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +>- These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. +>- Third-party apps and other Microsoft apps, such as Microsoft 365 Apps, that customers install may also collect and send diagnostic data using their own controls. +>- You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. +>- For more information on how Microsoft 365 Apps uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/microsoft-365-apps/privacy/overview-privacy-controls). +>- If you would like to control Windows data collection that isn't Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy or MDM. @@ -267,12 +272,12 @@ You can use Group Policy to set your organization’s diagnostic data setting: 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. -2. Double-click **Allow Telemetry** (or **Allow diagnostic data** on Windows 11 and Windows Server 2022). +2. Double-click **Allow diagnostic data** (or **Allow telemetry** on Windows 10 version 1809 and earlier, and on Windows Server 2019). > [!NOTE] > If devices in your organization are running Windows 10, 1803 and later, the user can still use Settings to set the diagnostic data setting to a more restrictive value, unless the **Configure diagnostic data opt-in settings user interface** policy is set. -3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. +3. In the **Options** box, choose the setting that you want to configure, and then select **OK**. ### Use Group Policy to manage optional diagnostic data collection @@ -283,15 +288,15 @@ The following policy lets you limit the types of [crash dumps](/windows/win32/dx 2. Double-click **Limit dump collection**. -3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. +3. In the **Options** box, choose the setting that you want to configure, and then select **OK**. -You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft. +You can also limit the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs aren't sent back to Microsoft. 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. 2. Double-click **Limit diagnostic log collection**. -3. In the **Options** box, choose the setting that you want to configure, and then click **OK**. +3. In the **Options** box, choose the setting that you want to configure, and then select **OK**. ### Use MDM to manage diagnostic data collection @@ -315,10 +320,10 @@ The Windows diagnostic data processor configuration enables you to be the contro - Enterprise - Professional - Education -- The device must be joined to Azure Active Directory (can be a hybrid Azure AD join). +- The device must be joined to Microsoft Entra (can be a Microsoft Entra hybrid join). > [!NOTE] -> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. +> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to a Microsoft Entra tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. For release information, see [Windows 10 Enterprise and Education](/lifecycle/products/windows-10-enterprise-and-education) and [Windows 11 Enterprise and Education](/lifecycle/products/windows-11-enterprise-and-education) on the Microsoft Lifecycle Policy site. @@ -339,24 +344,24 @@ Tenants with billing addresses in countries or regions in the Middle East and Af > [!NOTE] > The information in this section applies to the following versions of Windows: -> - Windows 10, versions 20H2, 21H2, 22H2, and newer -> - Windows 11, versions 21H2, 22H2, 23H2, and newer +> - Windows 10, versions 20H2 and newer +> - Windows 11, versions 21H2 and newer -Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined. +Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Microsoft Entra tenant to which your devices are joined. -#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) +#### Devices in Microsoft Entra tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. +For Windows devices with diagnostic data turned on and that are joined to an [Microsoft Entra tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). -#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA +#### Devices in Microsoft Entra tenants with a billing address outside of the EU and EFTA -For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: +For Windows devices with diagnostic data turned on and that are joined to an [Microsoft Entra tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: - [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) - [Windows Autopatch](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) -- [Windows updates reports (in Microsoft Intune)](/mem/intune/protect/data-enable-windows-data#windows-data) +- [Windows updates reports (in Microsoft Intune)](/intune/intune-service/protect/data-enable-windows-data#windows-data) *(Additional licensing requirements may apply to use these services.)* @@ -367,15 +372,15 @@ If you don’t sign up for any of these enterprise services, Microsoft will act > [!NOTE] > The information in this section applies to the following versions of Windows: > - Windows 10, versions 1809, 1903, 1909, and 2004. -> - Newer versions of Windows 10 and Windows 11 that have not updated yet to at least the January 2023 preview cumulative update. +> - Newer versions of Windows 10 and Windows 11 that haven't updated yet to at least the January 2023 preview cumulative update. To enable Windows diagnostic data processor configuration, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune. -- For Group Policy, you can use the “Allow commercial data pipeline” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog). +- For Group Policy, you can use the "Allow commercial data pipeline" policy, which is also available in the Intune [settings catalog](/intune/intune-service/configuration/settings-catalog). - For an MDM solution, you can use the AllowCommercialDataPipeline setting in the System Policy configuration service provider (CSP). -For more information about AllowCommercialDataPipeline and the “Allow commercial data pipeline” policy, [review this information](/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline). +For more information about AllowCommercialDataPipeline and the "Allow commercial data pipeline" policy, [review this information](/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline). ## Change privacy settings on a single server -You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings). +You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure/azure-local/manage/change-privacy-settings). diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index a794a57c74..2ef8b38b94 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -1,5 +1,5 @@ --- -title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11) +title: Diagnostic Data Viewer overview description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device. ms.service: windows-client ms.subservice: itpro-privacy @@ -7,175 +7,158 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 01/09/2018 +ms.date: 05/30/2025 ms.topic: how-to +hideEdit: true ms.collection: - privacy-windows - must-keep --- -# Diagnostic Data Viewer Overview +# Diagnostic Data Viewer overview **Applies to** - Windows 11, version 21H2 and later - Windows 10, version 1803 and later -## Introduction - The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. -## Install and Use the Diagnostic Data Viewer +## Install the Diagnostic Data Viewer -You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. +You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data. You can download the app from the [Microsoft Store Diagnostic Data Viewer](https://apps.microsoft.com/detail/9n8wtrrsq8f7) page. -### Turn on data viewing +> [!NOTE] +> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell overview](diagnostic-data-viewer-powershell.md). -Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. Note that this setting does not affect your Office data viewing or history. +## Turn on data viewing -**To turn on data viewing** +Before you can use the app for viewing Windows diagnostic data, you must turn on data viewing in the **Settings** panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from your device. This setting doesn't affect your data viewing or history for Microsoft 365 Apps or Microsoft Office. -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. +>[!Important] +>Turning on data viewing can use up to 1 GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section later in this article. -2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. +To turn on data viewing, do the following steps: - ![Location to turn on data viewing.](images/ddv-data-viewing.png) +1. Go to **Start**, select **Settings** > **Privacy & security** > **Diagnostics & feedback**. -### Download the Diagnostic Data Viewer +2. Under **View diagnostic data**, turn on the **Turn on the Diagnostic Data Viewer** option. -Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. +## Start the Diagnostic Data Viewer -> [!Important] -> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./diagnostic-data-viewer-powershell.md). +To start the Diagnostic Data Viewer, do the following steps: -### Start the Diagnostic Data Viewer +1. Go to **Start**, select **Settings** > **Privacy & security** > **Diagnostics & feedback**. -You can start this app from the **Settings** panel. + (You can also go to **Start** and search for *Diagnostic Data Viewer*.) -**To start the Diagnostic Data Viewer** +2. Under **View diagnostic data**, select the **Open Diagnostic Data Viewer** button. -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. +3. Close the Diagnostic Data Viewer. Use your device as you normally would for a few days. Then open the Diagnostic Data Viewer again to review the updated list of diagnostic data. -2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. - - ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)

-OR-

- - Go to **Start** and search for _Diagnostic Data Viewer_. - -3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. - - >[!Important] - >Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. - -### Use the Diagnostic Data Viewer +## Use the Diagnostic Data Viewer The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data. -- **View your Windows diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. +### View your Windows diagnostic events - Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. +In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. - >[!Important] - >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. +Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. - ![View your diagnostic events.](images/ddv-event-view.jpg) +>[!NOTE] +>Seeing an event doesn't necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time. -- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. +![View your diagnostic events.](images/ddv-event-view.jpg) - Selecting an event opens the detailed JSON view, with the matching text highlighted. +### Search your diagnostic events -- **Filter your diagnostic event categories.** The app's **Menu** button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting a check box lets you filter between the diagnostic event categories. +The **Search** box at the top of the screen lets you search among all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. -- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. +Selecting an event opens the detailed JSON view, with the matching text highlighted. - To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). +### Filter your diagnostic event categories -- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. +The app's **Menu** button opens the detailed menu. In here, you can find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting a check box lets you filter between the diagnostic event categories. - Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. +### Help to make your Windows experience better - >[!Important] - >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. +Microsoft only needs diagnostic data from a small number of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft collects the associated event diagnostic data, allowing your info to potentially help fix the issue for others. -- **View a summary of the data you've shared with us over time.** Available for users on build 19H1+, 'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft. +To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). - Through this feature, you can checkout how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more. +### Provide event feedback - >[!Important] - >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. +The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. - ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) +Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. -## View Office Diagnostic Data +>[!IMPORTANT] +>All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. -By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). +### View a summary of the data you've shared with us over time + +The **About your data** in the Diagnostic Data Viewer lets you see an overview of the Windows data you've shared with Microsoft. + +Through this feature, you can see how much data you send on average each day, the breakdown of your data by category, the top components and services that have sent data, and more. + +>[!NOTE] +>This content is a reflection of the history of Windows data that the app has stored. If you'd like to have extended analyses, modify the storage capacity of the Diagnostic Data Viewer. + +![Screenshot of the "About my data" page in the Diagnostic Data Viewer.](images/ddv-analytics.png) + +## View Microsoft 365 Apps or Microsoft Office diagnostic data + +By default, the Diagnostic Data Viewer shows you Windows data. You can also view Microsoft 365 Apps or Microsoft Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Microsoft 365 Apps or Microsoft Office diagnostic data, see [Using the Diagnostic Data Viewer with Office](https://support.microsoft.com/office/cf761ce9-d805-4c60-a339-4e07f3182855). ## Turn off data viewing -When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your Windows data history. Note that this setting does not affect your Office data viewing or history. +When you're done reviewing your diagnostic data, you should turn off data viewing. This also removes your Windows data history. This setting doesn't affect your data viewing or history for Microsoft 365 Apps or Microsoft Office. -**To turn off data viewing** +To turn off data viewing, do the following steps: -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. +1. Go to **Start**, select **Settings** > **Privacy & security** > **Diagnostics & feedback**. -2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. - - ![Location to turn off data viewing.](images/ddv-settings-off.png) +2. Under **View diagnostic data**, turn off the **Turn on the Diagnostic Data Viewer** option. ## Modifying the size of your data history -By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. +By default, the Diagnostic Data Viewer shows you up to 1 GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. > [!Important] -> Note that if you have [Office diagnostic data viewing enabled](#view-office-diagnostic-data), the Office data history is fixed at 1 GB and cannot be modified. +> If you have [diagnostic data viewing enabled](#view-microsoft-365-apps-or-microsoft-office-diagnostic-data) for Microsoft 365 Apps or Microsoft Office, their data history is fixed at 1 GB and cannot be modified. **Modify the size of your data history** -To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your chosen size or time limit is reached. +To make changes to the size of your Windows diagnostic data history, visit the **app settings**, located at the bottom of the navigation menu. Data is incrementally dropped with the oldest data points first once your chosen size or time limit is reached. > [!Important] > Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. -## View additional diagnostic data in the View problem reports tool +## View additional diagnostic data in the "View problem reports" tool -Available on Windows 10 1809 and higher and Windows 11, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. +Available on Windows 10 (version 1809 and higher) and on Windows 11, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. -This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. -We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. +This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. -You can also use the Windows Error Reporting tool available in the Control Panel. +You can also use the Windows Error Reporting tool available in the Control Panel. -**To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer** +### To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer -Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. +On Windows 10 (version 1809 and higher) and on Windows 11, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. -![Starting with Windows 1809 and higher and Windows 11, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png) +![Screenshot of the "Problem reports" section of the Diagnostic Data Viewer.](images/ddv-problem-reports.png) -**To view your Windows Error Reporting diagnostic data using the Control Panel** +### To view your Windows Error Reporting diagnostic data using the Control Panel + +To use the Windows Error Reporting tool in the Control Panel, you can do either of the following steps: + +- Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**. +- Go to **Start** and search for *Problem Reports*. -Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.

-OR-

-Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. -![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png) - -## Known Issues with Diagnostic Data Viewer - -### Microsoft Edge diagnostic data appearing as a blob of text - -**Applicable to:** The new Microsoft Edge (v. 79.x.x.x or higher) - -**Issue:** In some cases, diagnostic data collected and sent from the New Microsoft Edge fails to be translated by the decoder. When decoding fails, the data appears as a blob of text in the Diagnostic Data Viewer. We are working on a fix for this issue. - -**Workaround:** - -- Restart your computer and open Diagnostic Data Viewer. - -*OR* - -- Restart the *DiagTrack* service, through the Services tab in task manager, and open Diagnostic Data Viewer. - -**Background:** Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers (protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data will appear as a blob of encoded text. +![Screenshot of the "Review problem reports" tool in Control Panel.](images/control-panel-problem-reports-screen.png) > [!IMPORTANT] > To inquire about Windows data access or interoperability related to the Digital Markets Act (DMA), [submit this form](https://go.microsoft.com/fwlink/p/?linkid=2271128). diff --git a/windows/privacy/diagnostic-data-viewer-powershell.md b/windows/privacy/diagnostic-data-viewer-powershell.md index 54ed628d22..e108be2379 100644 --- a/windows/privacy/diagnostic-data-viewer-powershell.md +++ b/windows/privacy/diagnostic-data-viewer-powershell.md @@ -1,5 +1,5 @@ --- -title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) +title: Diagnostic Data Viewer for PowerShell overview description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. ms.service: windows-client ms.subservice: itpro-privacy @@ -7,64 +7,68 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 12/13/2018 +ms.date: 05/30/2025 ms.topic: how-to +hideEdit: true ms.collection: - privacy-windows - must-keep --- -# Diagnostic Data Viewer for PowerShell Overview +# Diagnostic Data Viewer for PowerShell overview **Applies to** -- Windows 11, version 21H2 and later -- Windows 10, version 1803 and later -- Windows Server, version 1803 -- Windows Server 2019 +- Windows 11, version 21H2 and later +- Windows 10, version 1803 and later +- Windows Server, version 1803 +- Windows Server 2019 -## Introduction The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. -## Requirements +> [!NOTE] +> You must have administrative privilege on the device in order to use this PowerShell module. -You must have administrative privilege on the device in order to use this PowerShell module. This module requires OS version 1803 and higher. +## Install the Diagnostic Data Viewer for PowerShell -## Install and Use the Diagnostic Data Viewer for PowerShell +You must install the module before you can use the Diagnostic Data Viewer for PowerShell. -You must install the module before you can use the Diagnostic Data Viewer for PowerShell. +### Open an elevated PowerShell session -### Opening an Elevated PowerShell session - -Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. - Go to **Start** > **Windows PowerShell** > **Run as administrator** - Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` ### Install the Diagnostic Data Viewer for PowerShell - >[!IMPORTANT] - >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. +>[!TIP] +>For more information on installing a PowerShell module, see [Getting Started with the PowerShell Galley](/powershell/gallery/getting-started). -To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer ``` -To see more information about the module, visit [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer). +For more information about the module, go to the [Microsoft.DiagnosticDataViewer](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) page in the PowerShell Gallery. ### Turn on data viewing -Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off. -Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing. +Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off. -**To turn on data viewing through the Settings page** -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. +This setting doesn't control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing. -2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. +Once data viewing is enabled, your device begins saving a history of diagnostic data that is sent to Microsoft from this point on. - ![Location to turn on data viewing.](images/ddv-data-viewing.png) +>[!IMPORTANT] +>Turning on data viewing can use up to 1 GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section later in this article. -**To turn on data viewing through PowerShell** +#### To turn on data viewing through the Settings page + +1. Go to **Start**, select **Settings** > **Privacy & security** > **Diagnostics & feedback**. + +2. Under **View diagnostic data**, turn on the **Turn on the Diagnostic Data Viewer** option. + +#### To turn on data viewing through PowerShell Run the following command within an elevated PowerShell session: @@ -72,69 +76,76 @@ Run the following command within an elevated PowerShell session: PS C:\> Enable-DiagnosticDataViewing ``` -Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to Microsoft from this point on. +## Get started with using the Diagnostic Data Viewer for PowerShell - >[!IMPORTANT] - >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. - - -### Getting Started with Diagnostic Data Viewer for PowerShell -To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: +To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: ```powershell PS C:\> Get-Help Get-DiagnosticData ``` -**To Start Viewing Diagnostic Data** - -From an elevated PowerShell session, run the following command: +To start viewing Diagnostic Data, from an elevated PowerShell session, run the following command: ```powershell PS C:\> Get-DiagnosticData ``` -If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`. +If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`. - >[!IMPORTANT] - >The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try again. +>[!NOTE] +>The preceding command might produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it sent. -### Doing more with the Diagnostic Data Viewer for PowerShell -The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module. +## Working with the Diagnostic Data Viewer for PowerShell -- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. +The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module. - Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](./configure-windows-diagnostic-data-in-your-organization.md), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. +> [!TIP] +> For more information about the PowerShell commands available, see the [Microsoft.DiagnosticDataViewer module documentation](/powershell/module/microsoft.diagnosticdataviewer). -- **View diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](./windows-diagnostic-data.md). - - To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command: +### View your diagnostic events - ```powershell - PS C:\> Get-DiagnosticDataTypes - ``` +Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. -- **Filter events by when they were sent.** You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Note that data is shown in order of oldest first. - ```powershell - PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6) - ``` +Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Required](configure-windows-diagnostic-data-in-your-organization.md#required-diagnostic-data), its diagnostic event category, and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. -- **Export the results of each command.** You can export the results of each command to a separate file such as a csv by using pipe `|`. For example, +### View diagnostic event categories - ```powershell - PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv' - ``` +Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. + +To view the diagnostic category represented by each numeric identifier and what the category means, you can run the following command: + +```powershell +PS C:\> Get-DiagnosticDataTypes +``` + +### Filter events by when they were sent + +You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Data is shown in order of oldest first. + +```powershell +PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6) +``` + +### Export the results of each command + +You can export the results of each command to a separate file such as a csv by using pipe `|`. For example: + +```powershell +PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv' +``` ## Turn off data viewing -When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device. -**To turn off data viewing through the Settings page** -1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. +When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device. -2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. +### To turn off data viewing through the Settings page - ![Location to turn off data viewing.](images/ddv-settings-off.png) +1. Go to **Start**, select **Settings** > **Privacy & security** > **Diagnostics & feedback**. -**To turn off data viewing through PowerShell** +2. Under **View diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. + + +### To turn off data viewing through PowerShell Within an elevated PowerShell session, run the following command: @@ -143,44 +154,37 @@ PS C:\> Disable-DiagnosticDataViewing ``` ## Modifying the size of your data history -By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. -**Modify the size of your data history** +By default, the tool shows you up to 1 GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. - >[!IMPORTANT] - >Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. +### Modify the size of your data history - >[!IMPORTANT] - >If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it back on in order to reclaim disk space. +>[!IMPORTANT] +>- Modifying the maximum amount of diagnostic data viewable by the tool might come with performance impacts to your machine. +>- If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it back on in order to reclaim disk space. -You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command. +You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2,048 MB (2 GB), you can run the following command. ```powershell PS C:\> Set-DiagnosticStoreCapacity -Size 2048 ``` -You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command. +You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command. ```powershell PS C:\> Set-DiagnosticStoreCapacity -Time 24 ``` - >[!IMPORTANT] - >You may need to restart your machine for the new settings to take effect. +>[!NOTE] +>- You might need to restart your machine for the new settings to take effect. +>- If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app. - >[!IMPORTANT] - >If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app. +### Reset the size of your data history -**Reset the size of your data history** - -To reset the maximum data history size back to its original 1GB default value, run the following command in an elevated PowerShell session: +To reset the maximum data history size back to its original 1 GB default value, run the following command in an elevated PowerShell session: ```powershell PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720 ``` When resetting the size of your data history to a lower value, be sure to turn off data viewing and turn it back on in order to reclaim disk space. - -## Related Links -- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index b6edb1591e..5b41deec31 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 06/13/2024 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -80,7 +81,7 @@ Although enterprise admins can turn off most essential services, we recommend, w Windows ships with Microsoft Edge on Windows devices. Microsoft Edge is the default browser and is recommended for the best web browsing experience. -You can find details on all of Microsoft Edge's connected experiences and essential services [here](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge). +You can find details on all of Microsoft Edge's connected experiences and essential services in the [Microsoft Edge Privacy Whitepaper](/microsoft-edge/privacy-whitepaper). To turn off specific Microsoft Edge features, see [Microsoft Edge](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge). ## IE essential services and connected experiences @@ -105,8 +106,8 @@ Internet Explorer shares many of the Windows essential services listed above. Th ## Related articles - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -- [Connected experiences in Office](/deployoffice/privacy/connected-experiences) -- [Essential services for Office](/deployoffice/privacy/essential-services) +- [Connected experiences in Office](/microsoft-365-apps/privacy/connected-experiences) +- [Essential services for Office](/microsoft-365-apps/privacy/essential-services) To view endpoints for Windows Enterprise, see: diff --git a/windows/privacy/images/ddv-data-viewing.png b/windows/privacy/images/ddv-data-viewing.png deleted file mode 100644 index b2f72cfc85..0000000000 Binary files a/windows/privacy/images/ddv-data-viewing.png and /dev/null differ diff --git a/windows/privacy/images/ddv-settings-launch.png b/windows/privacy/images/ddv-settings-launch.png deleted file mode 100644 index dc105bfde3..0000000000 Binary files a/windows/privacy/images/ddv-settings-launch.png and /dev/null differ diff --git a/windows/privacy/images/ddv-settings-off.png b/windows/privacy/images/ddv-settings-off.png deleted file mode 100644 index 9c1e292e89..0000000000 Binary files a/windows/privacy/images/ddv-settings-off.png and /dev/null differ diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 6ed92f1764..88eaa8c6c7 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/06/2023 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -185,4 +186,4 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec ## Related links - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) +- [Network endpoints for Microsoft Intune](/intune/intune-service/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 4baed27cd9..8138c5c9ab 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 01/18/2018 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -39,7 +40,7 @@ We used the following methodology to derive these network endpoints: 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. 5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using an IPV4 network. Therefore no IPV6 traffic is reported here. +6. All traffic was captured in our lab using an IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -313,7 +314,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Office -The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. @@ -327,7 +328,7 @@ If you turn off traffic for these endpoints, users won't be able to save documen | | HTTPS | `nexusrules.officeapps.live.com` | | | HTTPS | `officeclient.microsoft.com` | -The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. @@ -357,7 +358,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper |:--------------:|:--------:|:------------| | onedrive | HTTP \ HTTPS | `g.live.com/1rewlive5skydrive/ODSUProduction` | -The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device won't be able to get OneDrive for Business app updates. | Source process | Protocol | Destination | @@ -400,7 +401,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device won't use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device won't use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service). | Source process | Protocol | Destination | |:--------------:|:--------:|:------------| @@ -492,5 +493,5 @@ To view endpoints for other versions of Windows 10 Enterprise, see: ## Related links -- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) -- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) +- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) +- [Network endpoints for Microsoft Intune](/intune/intune-service/fundamentals/intune-endpoints) diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index d1c796a2e9..7c6362e9db 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 01/18/2018 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -91,7 +92,7 @@ The following methodology was used to derive these network endpoints: ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|`www.msftconnecttest.com`| -|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| |||HTTPS|www.office.com| |||HTTPS|blobs.officehome.msocdn.com| |||HTTPS|officehomeblobs.blob.core.windows.net| @@ -138,4 +139,4 @@ To view endpoints for other versions of Windows 10 Enterprise, see: ## Related links - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) -- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) +- [Network endpoints for Microsoft Intune](/intune/intune-service/fundamentals/intune-endpoints) diff --git a/windows/privacy/optional-diagnostic-data.md b/windows/privacy/optional-diagnostic-data.md index 0c6dc6be07..72861a30b0 100644 --- a/windows/privacy/optional-diagnostic-data.md +++ b/windows/privacy/optional-diagnostic-data.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 03/31/2017 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep @@ -29,7 +30,7 @@ Applies to: Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of optional diagnostic data collected by Windows, with comprehensive examples of data we collect per each type. -In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. +In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944-1:2020, Cloud computing and distributed platforms ─ Data flow, data categories and data use](https://www.iso.org/standard/79573.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard. The data covered in this article is grouped into the following types: @@ -65,13 +66,13 @@ Information that is added to most diagnostic events, if relevant and available: - HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data) - Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data) - ## Device, Connectivity, and Configuration data This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944-1:2020, 8.2.3.2.3 Connectivity data. -### Data Use for Device, Connectivity, and Configuration data +### Data Use for Device, Connectivity, and Configuration data + +**For Diagnostics:** -**For Diagnostics:**
[Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft products and services. For example: - Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example: @@ -84,13 +85,14 @@ This type of data includes details about the device, its configuration and conne - Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update. - Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 and Windows 11 improvements to determine the greatest positive impact to the most Windows 10 and Windows 11 users. -**With (optional) Tailored experiences:**
+**With (optional) Tailored experiences:** + If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [Pseudonymized](#pseudo) Device, Connectivity, and Configuration data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11users. For example: - Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience. - Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These apps might be free or paid. -  + ### Data Description for Device, Connectivity, and Configuration data type **Device properties subtype:** Information about the operating system and device hardware @@ -183,7 +185,8 @@ This type of data includes details about the usage of the device, operating syst ### Data Use for Product and Service Usage data -**For Diagnostics:**
+**For Diagnostics:** + [Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. @@ -193,13 +196,13 @@ This type of data includes details about the usage of the device, operating syst - Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana. - Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app. -**With (optional) Tailored experiences:**
+**With (optional) Tailored experiences:** + If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - If data shows that a user hasn't used a particular feature of Windows, we might recommend that the user try that feature. - Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid. - ### Data Description for Product and Service Usage data type **App usage subtype:** Information about Windows and application usage @@ -247,7 +250,8 @@ This type of data includes details about the health of the device, operating sys ### Data Use for Product and Service Performance data -**For Diagnostics:**
+**For Diagnostics:** + [Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations. @@ -255,14 +259,15 @@ This type of data includes details about the health of the device, operating sys - Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance. - Data about when an application window fails to appear is used to investigate issues with application window reliability and performance. -**With (optional) Tailored experiences:**
+**With (optional) Tailored experiences:** + If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. - Data about battery performance on a device may be used to recommend settings changes that can improve battery performance. - If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space. - If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These apps might be free or paid. -**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.** +Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service. ### Data Description for Product and Service Performance data type @@ -360,7 +365,8 @@ This type of data includes software installation and update information on the d ### Data Use for Software Setup and Inventory data -**For Diagnostics:**
+**For Diagnostics:** + [Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update. @@ -368,7 +374,8 @@ This type of data includes software installation and update information on the d - Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device. - Data about the antimalware installed on a device is used to understand malware transmissions vectors. -**With (optional) Tailored experiences:**
+**With (optional) Tailored experiences:** + If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store. @@ -402,7 +409,8 @@ This type of data includes details about web browsing in the Microsoft browsers. ### Data Use for Browsing History data -**For Diagnostics:**
+**For Diagnostics:** + [Pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and Windows 11 and related Microsoft product and services. For example: - Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content. @@ -411,7 +419,8 @@ This type of data includes details about web browsing in the Microsoft browsers. - Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature. - Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page. -**With (optional) Tailored experiences:**
+**With (optional) Tailored experiences:** + If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 and Windows 11 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 and Windows 11 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 and Windows 11 users. For example: - We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app. @@ -434,7 +443,8 @@ This type of data gathers details about the voice, inking, and typing input feat ### Data Use for Inking, Typing, and Speech Utterance data -**For Diagnostics:**
+**For Diagnostics:** + [Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 and Windows 11 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example: - Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature. @@ -451,7 +461,7 @@ This type of data gathers details about the voice, inking, and typing input feat **Voice, inking, and typing subtype:** Information about voice, inking, and typing features -- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used +- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it's used - Pen gestures (click, double click, pan, zoom, or rotate) - Palm Touch x,y coordinates - Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 800f6a44bf..f1a4cb2aae 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -8,8 +8,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/01/2024 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md index e17b4cc411..a1bc2c18da 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-24H2.md @@ -8,8 +8,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/01/2024 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index fc05807bdb..16bc60ed93 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -7,11 +7,12 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/01/2024 +ms.date: 05/23/2025 +ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep -ms.topic: reference --- diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index cd66cb48a1..13ade8af19 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -7,9 +7,9 @@ href: configure-windows-diagnostic-data-in-your-organization.md - name: Diagnostic Data Viewer items: - - name: Diagnostic Data Viewer Overview + - name: Diagnostic Data Viewer overview href: diagnostic-data-viewer-overview.md - - name: Diagnostic Data Viewer for PowerShell Overview + - name: Diagnostic Data Viewer for PowerShell overview href: diagnostic-data-viewer-powershell.md - name: Required Windows diagnostic data events and fields items: diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index a4dbd390e2..dd298e0346 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -7,8 +7,9 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 10/06/2023 +ms.date: 05/23/2025 ms.topic: reference +hideEdit: true ms.collection: - privacy-windows - must-keep diff --git a/windows/privacy/windows-privacy-compliance-guide.md b/windows/privacy/windows-privacy-compliance-guide.md index 155caa56e4..4b10abed89 100644 --- a/windows/privacy/windows-privacy-compliance-guide.md +++ b/windows/privacy/windows-privacy-compliance-guide.md @@ -7,15 +7,16 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dansimp -ms.date: 05/20/2019 -ms.topic: article +ms.date: 05/30/2025 +ms.topic: concept-article +hideEdit: true ms.collection: - essentials-compliance - privacy-windows - must-keep --- -# Windows Privacy Compliance:
A Guide for IT and Compliance Professionals +# Windows Privacy Compliance:
A Guide for IT and Compliance Professionals Applies to: @@ -26,7 +27,7 @@ Applies to: ## Overview -At Microsoft, we are committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows. +At Microsoft, we're committed to data privacy across all our products and services. With this guide, we provide administrators and compliance professionals with data privacy considerations for Windows. Microsoft collects data through multiple interactions with users of Windows devices. This information can contain personal data that may be used to provide, secure and improve Windows, and to provide connected experiences. To help users and organizations control the collection of personal data, Windows provides comprehensive transparency features, settings choices, controls, and support for data subject requests, all of which are detailed in this article. @@ -45,24 +46,24 @@ The following table provides an overview of the Windows 10 and Windows 11 privac > [!NOTE] > This table is limited to the privacy settings that are most commonly available when setting up a current version of Windows 10 or newer. For the full list of settings that involve data collection, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -| Feature/Setting | Description | Supporting content | Privacy statement | +| Feature/Setting | Description | Supporting content | Section of the Microsoft Privacy Statement | | --- | --- | --- | --- | -| Diagnostic Data |

Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.

Diagnostic data is categorized into the following:

  • **Required diagnostic data**
    Required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
  • **Optional diagnostic data**
    Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./optional-diagnostic-data.md).

| [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) | -| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) | -| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) | -| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) | -| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) | -| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | +| Diagnostic Data |

Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.

Diagnostic data is categorized into the following:

  • **Required diagnostic data**
    Required diagnostic data includes information about your device, its settings, capabilities, and whether it's performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data in [Required diagnostic events and fields for Windows 11, version 24H2](./required-diagnostic-events-fields-windows-11-24h2.md).
  • **Optional diagnostic data**
    Optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected in [Optional diagnostic data for Windows 11 and Windows 10](./optional-diagnostic-data.md).

| [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/28808a2b-a31b-dd73-dcd3-4559a5199319)

[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Diagnostics](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule) +| Inking & typing | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/28808a2b-a31b-dd73-dcd3-4559a5199319) | [Diagnostics](https://www.microsoft.com/privacy/privacystatement#maindiagnosticsmodule)| +| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Windows location service and privacy](https://support.microsoft.com/windows/3a8eee0a-5b0b-dc07-eede-2a5ca1c49088) |[Location services and recording](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) | +| Find my device | Use your device’s location data to help you find your device if you lose it. | [Find and lock a lost Windows device](https://support.microsoft.com/account-billing/890bf25e-b8ba-d3fe-8253-e98a12f26316) | [Location services and recording](https://www.microsoft.com/privacy/privacystatement#mainlocationservicesmotionsensingmodule) | +| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/28808a2b-a31b-dd73-dcd3-4559a5199319) | [Personalized offers](https://www.microsoft.com/privacy/privacystatement#mainpersonalizedoffersmodule) | +| Advertising ID | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [General privacy settings in Windows](https://support.microsoft.com/windows/7c7f6a09-cebd-5589-c376-7f505e5bf65a) | [Advertising ID](https://www.microsoft.com/privacy/privacystatement#mainadvertisingidmodule) | ### 1.2 Data collection monitoring [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) is a Microsoft Store app (available in Windows 10, version 1803 and later and Windows 11) that lets a user review the Windows diagnostic data that is being collected on their Windows device and sent to Microsoft in real-time. DDV groups the information into simple categories that describe the data that’s being collected. -An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](diagnostic-data-viewer-powershell.md) provides further information. +An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell overview](diagnostic-data-viewer-powershell.md) provides further information. > [!Note] -> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s device usage. See [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). +> If the Windows diagnostic data processor configuration is enabled, IT administrators should use the admin portal to fulfill data subject requests to access or export Windows diagnostic data associated with a particular user’s device usage. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). ## 2. Windows data collection management @@ -70,28 +71,28 @@ Windows provides the ability to manage privacy settings through several differen ### 2.1 Privacy setting options for users -Once a Windows device is set up, a user can manage data collection settings by opening the Settings app in Windows. Administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to the settings page. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device. +Once a Windows device is set up, a user can manage data collection settings by opening the Settings app in Windows. Administrators can control privacy settings via setting policy on the device (see [Section 2.2](#22-privacy-setting-controls-for-administrators) later in this guide). If this is the case, the user will see an alert that says **Some settings are hidden or managed by your organization** when they navigate to the settings page. In this case, the user can only change settings in accordance with the policies that the administrator has applied to the device. ### 2.2 Privacy setting controls for administrators Administrators can configure and control privacy settings across their organization by using Group Policy, Mobile Device Management (MDM), or Windows registry settings. -The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. +The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these policies. The table also provides information on what the default value would be for each of these privacy settings if you don't manage the setting by using policy and suppress the Out-of-box Experience (OOBE) during device setup. If you’re interested in minimizing data collection, we also provide the recommended value to set. > [!NOTE] -> This is not a complete list of settings that involve managing data collection or connecting to connected experiences in Windows. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +> This isn't a complete list of settings that involve managing data collection or connecting to connected experiences in Windows. For a more detailed list, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). | Connected experience /setting | GP/MDM documentation | Default state if the setup experience is suppressed | State to stop/minimize data collection | |---|---|---|---| -| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | -| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later and Windows 11) | Off | -| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | -| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)

**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | -| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off | -| Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off | -| Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | -| Activity History/Timeline – Cloud Sync | Group Policy:
**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**

MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off | -| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:
**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**

MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off | +| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#allowinputpersonalization) | Off | Off | +| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#letappsaccesslocation) | Off (Windows 10, version 1903 and later and Windows 11) | Off | +| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#allowfindmydevice) | Off | Off | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)

MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#allowtelemetry)

**Note**: If you're planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection isn't recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)

Server editions:
Enhanced diagnostic data | Security (Off) and block endpoints | +| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off | +| Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#allowtailoredexperienceswithdiagnosticdata) | Off | Off | +| Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#disableadvertisingid) | Off | Off | +| Activity History/Timeline – Cloud Sync | Group Policy:
**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**

MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#enableactivityfeed) | Off | Off | +| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:
**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**

MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#allowcortana) | Off | Off | ### 2.3 Guidance for configuration options @@ -101,7 +102,7 @@ This section provides general details and links to more detailed information, as Windows deployment can be configured using several different methods that provide an administrator with options for control, including how a device is set up, which options are enabled by default, and what the user is able to change on the device after they log on. -If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions). +If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/intune/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/intune/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions in [Frequently asked questions about diagnostics and usage data](/intune/configmgr/core/plan-design/diagnostics/frequently-asked-questions). Alternatively, your administrators can also choose to use Windows Autopilot. Windows Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Windows Autopilot profile and policies. @@ -124,11 +125,11 @@ The article [Manage connection endpoints for Windows 11 Enterprise](manage-windo #### _2.3.3 Limited functionality baseline_ -An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. +An organization may want to minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. >[!IMPORTANT] > - We recommend that you fully test any modifications to these settings before deploying them in your organization. -> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying it to ensure the Windows diagnostic setting is not turned off. +> - We also recommend that if you plan to enable the Windows diagnostic data processor configuration, adjust the limited configuration baseline before deploying it to ensure the Windows diagnostic setting isn't turned off. #### _2.3.4 Diagnostic data: Managing notifications for change of level at logon_ @@ -136,16 +137,16 @@ Starting with Windows 10, version 1803 and Windows 11, if an administrator modif #### _2.3.5 Diagnostic data: Managing end user choice for changing the setting_ -Windows 10, version 1803 and later and Windows 11 allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by opening the Settings app in Windows and navigating to **Diagnostic & feedback**. Administrators can restrict a user’s ability to change the setting by enabling the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`. +Windows 10, version 1803 and later and Windows 11 allows users to change their diagnostic data level to a lower setting than what their administrator has set. For example, if you have configured the device to send optional diagnostic data, a user can change the setting so that only required diagnostic data is sent by opening the Settings app in Windows and navigating to **Diagnostics & feedback**. Administrators can restrict a user’s ability to change the setting by enabling the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`. #### _2.3.6 Diagnostic data: Managing device-based data delete_ -Windows 10, version 1809 and later and Windows 11 allow a user to delete diagnostic data collected from their device by opening the Settings app in Windows and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. +Windows 10, version 1809 and later and Windows 11 allow a user to delete diagnostic data collected from their device by opening the Settings app in Windows and navigating to **Diagnostics & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. >[!Note] ->If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the powershell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal. +>If the Windows diagnostic data processor configuration is enabled, the Delete diagnostic data button will be disabled and the PowerShell cmdlet will not delete data collected under this configuration. IT administrators can instead delete diagnostic data collected by invoking a delete request from the admin portal. #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ @@ -154,14 +155,14 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 11 Enterprise, Professional, and Education editions - Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Microsoft Entra joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration). Windows diagnostic data doesn't include data processed by Microsoft in connection with providing service-based capabilities. -The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. +The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Microsoft Entra User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Microsoft Entra User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Microsoft Entra User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Microsoft Entra tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following: -- Restrict user’s ability to sign-in with a Microsoft Account (MSA) using [Block Microsoft account group policy](/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts). -- Restrict user’s ability to submit feedback, as any feedback or additional logs submitted by the user are not managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and you can block the ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed). +- Restrict user’s ability to sign-in with a Microsoft Account (MSA) using [Block Microsoft account group policy](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts). +- Restrict user’s ability to submit feedback, as any feedback or additional logs submitted by the user aren't managed by the Windows diagnostic data processor configuration option. The Feedback hub app can be removed using [PowerShell](/powershell/module/appx/remove-appxpackage) and you can block the ability to submit feedback in Microsoft Edge using [Feedback group policy](/deployedge/microsoft-edge-policies#userfeedbackallowed). >[!Note] >Tenant account closure will lead to the deletion of all data associated with that tenant. @@ -172,25 +173,25 @@ For more information on how Microsoft can help you honor rights and fulfill obli This section discusses the different methods Microsoft provides for users and administrators to exercise data subject rights for data collected from a Windows device. -For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the sections below. +For IT administrators who have devices using the Windows diagnostic data processor configuration, refer to the [Data Subject Requests for the GDPR and CCPA](/compliance/regulatory/gdpr-dsr-windows). Otherwise proceed to the next sections. ### 3.1 Delete -Users can delete their device-based data by opening the Windows settings app and navigating to **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. +Users can delete their device-based data by opening the Windows settings app and navigating to **Diagnostics & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is being used, the Delete diagnostic data functionality will be disabled. IT administrators can delete diagnostic data associated with a user from the admin portal. ### 3.2 View -The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows device. Administrators can also use the [Get-DiagnosticData](diagnostic-data-viewer-powershell.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet. +The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from a Windows device. Administrators can also use the [Get-DiagnosticData](/powershell/module/microsoft.diagnosticdataviewer/get-diagnosticdata) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is enabled, IT administrators can view the diagnostic data that is associated with a user from the admin portal. ### 3.3 Export -The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the **Export** data button in the top menu. Administrators can also use the [Get-DiagnosticData](diagnostic-data-viewer-powershell.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script. +The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the **Export** data button in the top menu. Administrators can also use the [Get-DiagnosticData](/powershell/module/microsoft.diagnosticdataviewer/get-diagnosticdata) PowerShell cmdlet. >[!Note] >If the Windows diagnostic data processor configuration is enabled, IT administrators can also export the diagnostic data that is associated with a user from the admin portal. @@ -219,19 +220,19 @@ Windows Server follows the same mechanisms as Windows 10 (and newer versions) fo ### 5.2 Surface Hub -[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. +[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data isn't connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. >[!IMPORTANT] ->Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services. +>Apps and services that run on Windows but aren't considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services. -An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](/surface-hub/manage-settings-with-mdm-for-surface-hub). +An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub doesn't support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage Surface Hub with an MDM provider](/surface-hub/manage-settings-with-mdm-for-surface-hub). >[!Note] >The Windows diagnostic data processor configuration is not available for Surface Hub. ### 5.3 Windows Update for Business reports -[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting. +[Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) is a cloud-based solution that provides information about an organization’s Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports uses Windows diagnostic data for all of its reporting. ### 5.4 Windows Autopatch @@ -239,13 +240,13 @@ An administrator can configure privacy-related settings, such as choosing to onl ### 5.5 Windows updates reports (in Microsoft Intune) -Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/mem/intune/protect/windows-update-compatibility-reports), [Windows driver updates](/mem/intune/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/windows-autopilot). These reports use Windows diagnostic data for their reporting. +Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Microsoft Intune includes reports that help you prepare a Windows upgrade or update. For example, [App and driver compatibility reports](/intune/intune-service/protect/windows-update-compatibility-reports), [Windows driver updates](/intune/intune-service/protect/windows-driver-updates-overview), and [Windows Autopilot](/autopilot/overview). These reports use Windows diagnostic data for their reporting. ## Additional Resources * [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview) -* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy) -* [Windows IT Pro Docs](/windows/#pivot=it-pro) +* [Microsoft Trust Center: Data protection and privacy](https://www.microsoft.com/trust-center/privacy) +* [Windows technical documentation for developers and IT pros](/windows/) * [Microsoft Privacy Statement](https://www.microsoft.com/privacy/privacystatement) * [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) * [Privacy at Microsoft](https://www.microsoft.com/privacy) diff --git a/windows/security/application-security/application-control/app-control-for-business/index.yml b/windows/security/application-security/application-control/app-control-for-business/index.yml index 576efefff8..cd84210e03 100644 --- a/windows/security/application-security/application-control/app-control-for-business/index.yml +++ b/windows/security/application-security/application-control/app-control-for-business/index.yml @@ -7,7 +7,7 @@ metadata: ms.topic: landing-page author: vinaypamnani-msft ms.author: vinpa - manager: aaroncz + manager: bpardi ms.date: 09/11/2024 # linkListType: overview | how-to-guide | tutorial | video landingContent: diff --git a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md index 9f6ad2b2dc..be0cbfa469 100644 --- a/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md +++ b/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md @@ -4,7 +4,7 @@ description: Hardware and software system integrity-hardening capabilities that ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa -manager: aaroncz +manager: bpardi ms.date: 09/11/2024 ms.topic: article appliesto: diff --git a/windows/security/docfx.json b/windows/security/docfx.json index f64814d751..a88a8d4e1d 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -44,7 +44,7 @@ "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "uhfHeaderId": "MSDocsHeader-Windows", "ms.localizationpriority": "medium", - "manager": "aaroncz", + "manager": "bpardi", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { diff --git a/windows/security/identity-protection/hello-for-business/includes/expiration.md b/windows/security/identity-protection/hello-for-business/includes/expiration.md index e0f48877ad..b532991698 100644 --- a/windows/security/identity-protection/hello-for-business/includes/expiration.md +++ b/windows/security/identity-protection/hello-for-business/includes/expiration.md @@ -20,5 +20,5 @@ The default value is 0. > [!IMPORTANT] > PIN expiration is not supported on: > -> - Devices with [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) enabled, since Windows Hello uses Virtualization-based Security (VBS) to isolate credentials. +> - Devices with [Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) enabled, since Windows Hello uses Virtualization-based Security (VBS) to isolate credentials. > - Starting with Windows 11, version 24H2, on all devices that have VBS enabled. diff --git a/windows/security/identity-protection/hello-for-business/includes/history.md b/windows/security/identity-protection/hello-for-business/includes/history.md index 6d127a8f13..35ff56bf3e 100644 --- a/windows/security/identity-protection/hello-for-business/includes/history.md +++ b/windows/security/identity-protection/hello-for-business/includes/history.md @@ -22,5 +22,5 @@ The default value is 0. > [!IMPORTANT] > PIN history is not supported on: > -> - Devices with [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) enabled, since Windows Hello uses Virtualization-based Security (VBS) to isolate credentials. -> - Starting with Windows 11, version 24H2, on all devices that have VBS enabled. \ No newline at end of file +> - Devices with [Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) enabled, since Windows Hello uses Virtualization-based Security (VBS) to isolate credentials. +> - Starting with Windows 11, version 24H2, on all devices that have VBS enabled. diff --git a/windows/security/index.yml b/windows/security/index.yml index 65fbde4219..6a9abb26c8 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -10,7 +10,7 @@ metadata: - essentials-security author: paolomatarazzo ms.author: paoloma - manager: aaroncz + manager: bpardi ms.date: 10/18/2024 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md b/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md index 6ebc5f4369..a44a50361e 100644 --- a/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/operating-system-security/device-management/override-mitigation-options-for-app-related-security-policies.md @@ -15,9 +15,9 @@ Windows includes group policy-configurable "Process Mitigation Options" that add The Group Policy settings in this article are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this article, you can configure more protections. The types of process mitigations are: -- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as nonexecutable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they're compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). -- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`. +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as nonexecutable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10#data-execution-prevention). +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they're compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10#structured-exception-handling-overwrite-protection). +- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](/previous-versions/windows/it-pro/windows-10/security/threat-protection/overview-of-threat-mitigations-in-windows-10#address-space-layout-randomization). To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 6b6eef9e48..b18b14ca56 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -1,7 +1,7 @@ --- title: Windows Firewall Rules description: Learn about Windows Firewall rules and design recommendations. -ms.date: 04/07/2025 +ms.date: 06/06/2025 ms.topic: concept-article --- @@ -15,9 +15,9 @@ This article describes the concepts and recommendations for creating and managin In many cases, allowing specific types of inbound traffic is required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when configuring inbound exceptions: -1. Explicitly defined allow rules take precedence over the default block setting -1. Explicit block rules take precedence over any conflicting allow rules -1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence +1. Explicitly defined allow rules take precedence over the default block setting. +1. Explicit block rules take precedence over any conflicting allow rules. +1. More specific rules take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence. Because of 1 and 2, when designing a set of policies, you should make sure that there are no other explicit block rules that could inadvertently overlap, thus preventing the traffic flow you wish to allow. @@ -34,8 +34,8 @@ When first installed, network applications and services issue a *listen call* sp :::column span="2"::: If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: -- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic -- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected +- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic. +- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected. To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console @@ -56,8 +56,8 @@ Windows Firewall supports the use of App Control for Business Application ID (Ap 1. Deploy *App Control AppId tagging policies*: an App Control for Business policy must be deployed, which specifies individual applications or groups of applications to apply a *PolicyAppId tag* to the process token(s). Then, the admin can define firewall rules that are scoped to all processes tagged with the matching *PolicyAppId*. For more information, see the [App Control AppId tagging guide](../../../application-security/application-control/app-control-for-business/AppIdTagging/appcontrol-appid-tagging-guide.md) to create, deploy, and test an AppID policy to tag applications. 1. Configure firewall rules using *PolicyAppId tags* using one of the two methods: - - Using the [PolicyAppId node of the Firewall CSP](/windows/client-management/mdm/firewall-csp#mdmstorefirewallrulesfirewallrulenamepolicyappid) with an MDM solution like Microsoft Intune. If you use Microsoft Intune, you can deploy the rules from Microsoft Intune Admin center, under the path **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall Rules**. When creating the rules, provide the *AppId tag* in the **Policy App ID** setting - - Create local firewall rules with PowerShell: use the [`New-NetFirewallRule`](/powershell/module/netsecurity/new-netfirewallrule) cmdlet and specify the `-PolicyAppId` parameter. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported + - Using the [PolicyAppId node of the Firewall CSP](/windows/client-management/mdm/firewall-csp#mdmstorefirewallrulesfirewallrulenamepolicyappid) with an MDM solution like Microsoft Intune. If you use Microsoft Intune, you can deploy the rules from Microsoft Intune Admin center, under the path **Endpoint security** > **Firewall** > **Create policy** > **Windows 10, Windows 11, and Windows Server** > **Windows Firewall Rules**. When creating the rules, provide the *AppId tag* in the **Policy App ID** setting. + - Create local firewall rules with PowerShell: use the [`New-NetFirewallRule`](/powershell/module/netsecurity/new-netfirewallrule) cmdlet and specify the `-PolicyAppId` parameter. You can specify one tag at a time while creating firewall rules. Multiple User Ids are supported. ## Local policy merge and application rules @@ -97,23 +97,28 @@ Here's a list of recommendations when designing your firewall rules: When designing a set of firewall policies for your network, it's a recommended practice to configure *allow rules* for any networked applications deployed on the host. Having the rules in place before the user first launches the application helps to ensure a seamless experience. -The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues. +The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. + +If the device is expected to be used by non-administrative users, you should follow best practices and: + +- Provide these rules before the application's first launch to avoid unexpected networking issues. +- Disable inbound notifications on all profiles. This disables the automatic creation of firewall rules. To determine why some applications are blocked from communicating in the network, check for the following instances: -1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt -1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes -1. [Local policy merge](#local-policy-merge-and-application-rules) is disabled, preventing the application or network service from creating local rules - -Creation of application rules at runtime can also be prohibited by administrators using the Settings app or policy settings. +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. Block rules are created. +1. A user with sufficient privileges is **not** prompted because notifications are disabled. No Allow rules are created, the traffic is blocked by the default block rule. +1. A user lacks sufficient privileges and is prompted to allow the application to make the appropriate policy changes. No matter what he clicks, Block rules get created for the application. +1. A user lacks sufficient privileges and is **not** prompted because notifications are disabled. No Allow rules are created, the traffic is blocked by the default block rule. +1. [Local policy merge](#local-policy-merge-and-application-rules) is disabled, preventing the application or network service from creating local rules. ### Outbound rules considerations What follows are a few general guidelines for configuring outbound rules. -- Changing the outbound rules to *blocked* can be considered for certain highly secure environments. However, the inbound rule configuration should never be changed in a way that allows all traffic by default -- It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use -- In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP +- Changing the outbound rules to *blocked* can be considered for certain highly secure environments. However, the inbound rule configuration should never be changed in a way that allows all traffic by default. +- It's recommended to *allow outbound* by default for most deployments for the sake of simplification with app deployments, unless the organization prefers tight security controls over ease-of-use. +- In high security environments, an inventory of all apps should be logged and maintained. Records must include whether an app used requires network connectivity. Administrators need to create new rules specific to each app that needs network connectivity and push those rules centrally, via GPO or CSP. ## Next steps diff --git a/windows/security/threat-protection/images/security-fig4-aslr.png b/windows/security/threat-protection/images/security-fig4-aslr.png deleted file mode 100644 index a84f09fe89..0000000000 Binary files a/windows/security/threat-protection/images/security-fig4-aslr.png and /dev/null differ diff --git a/windows/security/threat-protection/images/security-fig5-dep.png b/windows/security/threat-protection/images/security-fig5-dep.png deleted file mode 100644 index f4e6874400..0000000000 Binary files a/windows/security/threat-protection/images/security-fig5-dep.png and /dev/null differ diff --git a/windows/security/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/security/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png deleted file mode 100644 index f23868fdde..0000000000 Binary files a/windows/security/threat-protection/images/threat-mitigations-pre-breach-post-breach-conceptual.png and /dev/null differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md deleted file mode 100644 index a7938a1a29..0000000000 --- a/windows/security/threat-protection/index.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Windows threat protection -description: Describes the security capabilities in Windows client focused on threat protection -author: aczechowski -ms.author: aaroncz -manager: aaroncz -ms.topic: article -ms.date: 12/31/2017 ---- - -# Windows threat protection - -In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. - -See the following articles to learn more about the different areas of Windows threat protection: - -- [Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) -- [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) -- [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders) -- [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection) -- [Microsoft Defender Application Guard](../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md) -- [Microsoft Defender Device Guard](../application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md) -- [Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/) -- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection) -- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) -- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview) -- [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md) -- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/index.md) - -## Next-generation protection - -Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - -- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) -- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) -- [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) -- [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) -- [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md deleted file mode 100644 index abb60675b1..0000000000 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ /dev/null @@ -1,408 +0,0 @@ ---- -title: Mitigate threats by using Windows 10 security features -description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. -ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -manager: aaroncz -ms.date: 12/31/2017 -ms.topic: how-to ---- - -# Mitigate threats by using Windows 10 security features - -**Applies to:** -- Windows 10 - -This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics). - -| Section | Contents | -|--------------|-------------------------| -| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | -| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | -| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they're built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | -| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | - -This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: - -Types of defenses in Windows 10 - -*Figure 1.  Device protection and threat resistance as part of the Windows 10 security defenses* - -## The security threat landscape - -Today's security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker's motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. - -In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: - -- Eliminate entire classes of vulnerabilities - -- Break exploitation techniques - -- Contain the damage and prevent persistence - -- Limit the window of opportunity to exploit - -The following sections provide more detail about security mitigations in Windows 10, version 1703. - -## Windows 10 mitigations that you can configure - -Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system. - -**Table 1  Windows 10 mitigations that you can configure** - -| Mitigation and corresponding threat | Description and links | -|---|---| -| **Windows Defender SmartScreen**
helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | -| **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) | -| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | -| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol) | -| **Microsoft Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.

**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | -| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | -| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

**More information**: [Table 2](#table-2), later in this topic | -| **UEFI Secure Boot**
helps protect
the platform from
boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | -| **Early Launch Antimalware (ELAM)**
helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the anti-malware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | -| **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization's
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](/windows-server/security/device-health-attestation) | - -Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. - -As an IT professional, you can ask application developers and software vendors to deliver applications that include an extra protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard). - -### Table 2  Configurable Windows 10 mitigations designed to help protect against memory exploits - -| Mitigation and corresponding threat | Description | -|---|---| -| **Data Execution Prevention (DEP)**
helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications don't.
**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | -| **SEHOP**
helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | -| **ASLR**
helps mitigate malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This loading - of specific DLLs -helps mitigate malware that's designed to attack specific memory locations.
**More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure more ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | - -### Windows Defender SmartScreen - -Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. - -For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. - -For more information, see [Microsoft Defender SmartScreen overview](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/). - -### Microsoft Defender Antivirus - -Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve anti-malware: - -- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) - -- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. - -- **Rich local context** improves how malware is identified. Windows 11 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content. - -- **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This up-to-date status is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. - -- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class anti-malware solution. - - - -For more information, see [Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) and [Windows Defender Overview for Windows Server](/windows-server/security/windows-defender/windows-defender-overview-windows-server). - -For information about Microsoft Defender for Endpoint, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (documentation). - -### Data Execution Prevention - -Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? - -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted through a vulnerability exploit. - -**To use Task Manager to see apps that use DEP** - -1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. - -2. Click **More Details** (if necessary), and then click the **Details** tab. - -3. Right-click any column heading, and then click **Select Columns**. - -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. - -5. Click **OK**. - -You can now see which processes have DEP enabled. - - - -![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png) - -*Figure 2.  Processes on which DEP has been enabled in Windows 10* - -You can use Control Panel to view or change DEP settings. - -#### To use Control Panel to view or change DEP settings on an individual PC - -1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. - -2. Click **Advanced system settings**, and then click the **Advanced** tab. - -3. In the **Performance** box, click **Settings**. - -4. In **Performance Options**, click the **Data Execution Prevention** tab. - -5. Select an option: - - - **Turn on DEP for essential Windows programs and services only** - - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP won't be turned on. - -#### To use Group Policy to control DEP settings - -You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). - -### Structured Exception Handling Overwrite Protection - -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they've been compiled with the latest improvements. - -You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). - -### Address Space Layout Randomization - -One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could overwrite it in well-known and predictable locations. - -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it's more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. - -:::image type="content" alt-text="ASLR at work." source="images/security-fig4-aslr.png" lightbox="images/security-fig4-aslr.png"::: - -**Figure 3.  ASLR at work** - -Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. - -You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings ("Force ASLR" and "Bottom-up ASLR"), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). - -## Mitigations that are built in to Windows 10 - -Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The subsequent table describes some of these mitigations. - -Control Flow Guard (CFG) is a mitigation that doesn't need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they're compiled. - -### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed - -| Mitigation and corresponding threat | Description | -|---|---| -| **SMB hardening for SYSVOL and NETLOGON shares**
helps mitigate
man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. | -| **Protected Processes**
help prevent one process
from tampering with another
process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those processes that have been specially signed.

**More information**: [Protected Processes](#protected-processes), later in this topic. | -| **Universal Windows apps protections**
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | -| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures that help protect against corruption of memory used by the heap.

**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | -| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
helps mitigate exploits
based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It's built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | -| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | - -### SMB hardening improvements for SYSVOL and NETLOGON shares - -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This requirement reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts. - -> [!NOTE] -> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). - -### Protected Processes - -Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. - -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those processes that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and, as in Windows 8.1, implements them in a way that can be used by third-party anti-malware vendors, as described in [Protecting Anti-Malware Services](/windows/win32/services/protecting-anti-malware-services-). This ease in use helps make the system and anti-malware solutions less susceptible to tampering by malware that does manage to get on the system. - -### Universal Windows apps protections - -When users download Universal Windows apps from the Microsoft Store, it's unlikely that they'll encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. - -Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. - -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app's age rating and publisher. - -### Windows heap protections - -The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. - -Windows 10 has several important improvements to the security of the heap: - -- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. - -- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. - -- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. - -### Kernel pool protections - -The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. - -In addition to pool hardening, Windows 10 includes other kernel hardening features: - -- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. - -- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation). - -- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) - -- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This configuration requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. - -- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. - -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps aren't allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. - -### Control Flow Guard - -When applications are loaded into memory, they're allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they're written in the code itself—but previous to Windows 10, the flow between these locations wasn't enforced, which gave attackers the opportunity to change the flow to meet their needs. - -This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location isn't trusted, the application is immediately terminated as a potential security risk. - -An administrator can't configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard). - -Browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. - -### Microsoft Edge and Internet Explorer 11 - -Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users can't perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. - -All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. The security of Windows 10 for the purposes of web browsing and applications, especially for these two content types, is a priority. - -Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: - -- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. - -- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. - -- **Includes Memory Garbage Collection (MemGC)**. This feature helps protect against use-after-free (UAF) issues. - -- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. - -- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, making it more secure by default. - -In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that don't work with Microsoft Edge. You can't configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. - -For sites that require IE11 compatibility, including those sites that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. - -### Functions that software vendors can use to build mitigations into apps - -Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you're working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. - -> [!NOTE] -> Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. - -### Table 4   Functions available to developers for building mitigations into apps - -| Mitigation | Function | -|-------------|-----------| -| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | -| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | -| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | -| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSignaturePolicy\] | -| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
\[ProcessSystemCallDisablePolicy\] | -| High Entropy ASLR for up to 1 TB of variance in memory allocations | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | -| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | -| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | -| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | - -## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit - -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10. - -Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly the ones assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). - -The following table lists EMET features in relation to Windows 10 features. - -### Table 5   EMET features in relation to Windows 10 features - -|Specific EMET features|How these EMET features map to Windows 10 features| -|--- |--- | -|
  • DEP
  • SEHOP
  • ASLR (Force ASLR, Bottom-up ASLR)|DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See [Table 2](#table-2), earlier in this topic.You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.| -|
  • Load Library Check (LoadLib)
  • Memory Protection Check (MemProt)|LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See [Table 4](#functions-that-software-vendors-can-use-to-build-mitigations-into-apps), earlier in this topic.| -|Null Page|Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in [Kernel pool protections](#kernel-pool-protections), earlier in this topic.| -|
  • Heap Spray
  • EAF
  • EAF+|Windows 10 doesn't include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and don't significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.| -|
  • Caller Check
  • Simulate Execution Flow
  • Stack Pivot
  • Deep Hooks (an ROP "Advanced Mitigation")
  • Anti Detours (an ROP "Advanced Mitigation")
  • Banned Functions (an ROP "Advanced Mitigation")|Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in [Control Flow Guard](#control-flow-guard), earlier in this topic.| - -### Converting an EMET XML settings file into Windows 10 mitigation policies - -One of EMET's strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: - -```powershell -Install-Module -Name ProcessMitigations -``` - -The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. - -To get the current settings on all running instances of notepad.exe: - -```powershell -Get-ProcessMitigation -Name notepad.exe -RunningProcess -``` - -To get the current settings in the registry for notepad.exe: - -```powershell -Get-ProcessMitigation -Name notepad.exe -``` - -To get the current settings for the running process with pid 1304: - -```powershell -Get-ProcessMitigation -Id 1304 -``` - -To get the all process mitigation settings from the registry and save them to the xml file settings.xml: - -```powershell -Get-ProcessMitigation -RegistryConfigFilePath settings.xml -``` - -The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file. - -To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR: - -```powershell -Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR -``` - -To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml): - -```powershell -Set-ProcessMitigation -PolicyFilePath settings.xml -``` - -To set the system default to be MicrosoftSignedOnly: - -```powershell -Set-ProcessMitigation -System -Enable MicrosoftSignedOnly -``` - -The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is: - -```powershell -ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath [] -``` - -Examples: - -- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example: - - ```powershell - ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml - ``` - -- **Audit and modify the converted settings (the output file)**: More cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad: - - ```powershell - Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL - ``` - -- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy. For more information, see [Deploying App Control for Business policies](../application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide.md). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections. - -- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example: - - ```powershell - ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml - ``` - -#### EMET-related products - -Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint). - -## Related topics - -- [Security and Assurance in Windows Server 2016](/windows-server/security/security-and-assurance) -- [Microsoft Defender for Endpoint - resources](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -- [Microsoft Microsoft Defender for Endpoint - documentation](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) -- [Exchange Online Advanced Threat Protection Service Description](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) -- [Microsoft Defender for Office 365](https://products.office.com/en-us/exchange/online-email-threat-protection) -- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx) diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index 3c263da76b..ae0871033c 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -1,13 +1,13 @@ --- title: Resources for deprecated features in the Windows client description: Resources and details for deprecated features in the Windows client. -ms.date: 04/24/2025 +ms.date: 05/23/2025 ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.topic: reference ms.collection: - highpri @@ -23,7 +23,7 @@ This article provides more information about some [deprecated features for Windo ## Maps app -Maps is deprecated and will be removed from the Microsoft Store by July 2025. At this time, there will also be a final update to the app from the Store that makes it nonfunctional. If you remove the app before July 2025, you can still reinstall it from the Store, but past July 2025 you won't be able to reinstall it. You'll be able to uninstall the app at any time. Any personal data or files you have saved, such as guided navigation or URLs to maps, won't be removed, but they'll no longer function in the Maps app past July 2025. If you wish to still use maps powered by the Bing service, please visit [https://www.bing.com/maps](https://www.bing.com/maps). Maps is no longer preinstalled with Windows starting with the Windows 11, version 24H2 release. +Maps is deprecated and will be removed from the Microsoft Store by July 2025. At this time, there will also be a final update to the app from the Store that makes it nonfunctional. If you remove the app before July 2025, you can still reinstall it from the Store, but past July 2025 you won't be able to reinstall it. You'll be able to uninstall the app at any time. Any personal data or files you have saved, such as guided navigation or URLs to maps, won't be removed, but they'll no longer function in the Maps app past July 2025. If you wish to still use maps powered by the Bing service, please visit [https://www.bing.com/maps](https://www.bing.com/maps). Maps is no longer preinstalled with Windows starting with the Windows 11, version 24H2 release. ## Windows UWP Map control and Windows Maps platform APIs @@ -36,18 +36,18 @@ In May 2024, we announced the unification of [Bing Maps for Enterprise](https:// ## Paint 3D -Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. Existing installations of Paint 3D will continue to work, but the app will no longer be available for download from the Microsoft Store. If you remove the app, you can reinstall it from the Microsoft Store until November 4, 2024. After that date, Paint 3D will no longer be available for download. Paint 3D was preinstalled on some Windows 10 devices, but wasn't preinstalled on Windows 11 devices. Some alternatives to Paint 3D include: +Paint 3D was deprecated in August 2024 and was removed from the Microsoft Store on November 4, 2024. Existing installations of Paint 3D will continue to work, but the app will no longer be available for download from the Microsoft Store. If you remove the app, you can reinstall it from the Microsoft Store until November 4, 2024. After that date, Paint 3D will no longer be available for download. Paint 3D was preinstalled on some Windows 10 devices, but wasn't preinstalled on Windows 11 devices. Some alternatives to Paint 3D include: - View and edit 2D images: [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4) - View 3D content: [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). ## NTLM -Customers concerned about NTLM usage in their environments are encouraged to utilize [NTLM auditing](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain) to [investigate how NTLM is being used](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191). +Customers concerned about NTLM usage in their environments are encouraged to utilize [NTLM auditing](/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain) to [investigate how NTLM is being used](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191). In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their `AcquireCredentialsHandle` request to the SSPI. One known exception is for applications that make hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios might require additional configuration. For more information, see [Kerberos authentication troubleshooting guidance](/troubleshoot/windows-server/windows-security/kerberos-authentication-troubleshooting-guidance). -Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm). +Negotiate's built-in fallback to NTLM is preserved to mitigate compatibility issues during this transition. For updates on NTLM deprecation, see [https://aka.ms/ntlm](https://aka.ms/ntlm). NTLM v1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. Some situations still use NTLMv1 primitives for legacy reasons. MSCHAPv2 uses the same response function as NTLMv1 and is vulnerable to the same attacks against the weak crypto. MSCHAPv2 is only disabled by enabling Credential Guard. @@ -57,14 +57,14 @@ WordPad is removed from all editions of Windows starting in Windows 11, version - wordpad.exe - wordpadfilter.dll -- write.exe +- write.exe Avoid taking a direct dependency on these binaries and Wordpad in your product. Instead, for trying to open a text file, rely on Microsoft Word or Notepad. ## VBScript VBScript will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before being retired in future Windows releases. Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript. - + ## TLS versions 1.0 and 1.1 disablement resources Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 are disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. @@ -111,7 +111,7 @@ Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort, ## Microsoft Support Diagnostic Tool resources -The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters). +The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters). If you're using MSDT to run [custom troubleshooting packages](/previous-versions/windows/desktop/wintt/package-schema), it will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before the tool is fully retired in 2025. This change allows you to continue to use MSDT to run custom troubleshooting packages while transitioning to a new platform. [Contact Microsoft support](https://support.microsoft.com/contactus) for Windows if you require more assistance. diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index 3b4bdd7f15..46a4823b8b 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -1,13 +1,13 @@ --- title: Deprecated features in the Windows client description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11. -ms.date: 05/02/2025 +ms.date: 05/23/2025 ms.service: windows-client ms.subservice: itpro-fundamentals ms.localizationpriority: medium author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.topic: reference ms.collection: - highpri @@ -55,7 +55,7 @@ The features in this article are no longer being actively developed, and might b | Location History | We're deprecating and removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. | February 2025 | | Suggested actions | Suggested actions that appear when you copy a phone number or future date in Windows 11 are deprecated and will be removed in a future Windows 11 update. | December 2024 | | Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired:
    • Playback of protected content in the legacy Windows Media Player on Windows 7
    • Playback of protected content in a Silverlight client and Windows 8 clients
    • In-home streaming playback from a Silverlight client or Windows 8 client to an Xbox 360
    • Playback of protected content ripped from a personal CD on Windows 7 clients using Windows Media Player
    | September 2024 | -| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 | +| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d).

    **[Update - May 2025]** Paint 3D was deprecated in August 2024 and was removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d).| August 2024 | | Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows.

    In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 | | DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 | | NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which tries to authenticate with Kerberos and only falls back to NTLM when necessary. For more information, see, [Resources for deprecated features](deprecated-features-resources.md).

    **[Update - November 2024]**: NTLMv1 is [removed](removed-features.md) starting in Windows 11, version 24H2 and Windows Server 2025. | June 2024 | @@ -97,7 +97,7 @@ The features in this article are no longer being actively developed, and might b | XDDM-based remote display driver | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | -| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | +| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.

    **[Update - May 2025]** As of July 2024, 3D Builder is no longer supported and it was removed from the Microsoft Store. For ongoing 3D printing needs, contact your 3D printer provider for their recommendation. | 1903 | |Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We added a sync engine to the Outlook app that provides the same synchronization.| 1809 | |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 | diff --git a/windows/whats-new/enable-extended-security-updates.md b/windows/whats-new/enable-extended-security-updates.md index 38beaa6486..af03388d2c 100644 --- a/windows/whats-new/enable-extended-security-updates.md +++ b/windows/whats-new/enable-extended-security-updates.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.topic: article ms.date: 05/21/2025 @@ -32,7 +32,6 @@ To enable ESU for Windows 10, you must meet the following prerequisites: **Endpoints for client activation:** - `https://go.microsoft.com/` -- `https://go.microsoft.com/` - `https://login.live.com` - `https://activation.sls.microsoft.com/` - `http://crl.microsoft.com/` @@ -55,7 +54,7 @@ To enable ESU for Windows 10, you must meet the following prerequisites: If you bought ESU licenses, you can activate them with Multiple Activation Keys (MAK) that you get from the Microsoft 365 admin center. To find the ESU license MAK, use the following steps: 1. In the [admin center](https://admin.microsoft.com), go to the **Billing** > **Your Products** page, then select the Volume licensing tab. -2. In the **Contracts** section, select **View contracts**. +2. In the **Contracts** section, select **View contracts**. 3. On the Contracts page, find the **License ID** that the ESU licenses were purchased under, select the three dots (**More actions**), then select **View product keys**. The **Product keys** details page includes contract details and a list of all keys for that contract. > [!NOTE] @@ -151,10 +150,10 @@ If the device doesn't have access to the internet or to the Microsoft Activation The output should show the **Name** of the corresponding ESU program and the **License Status** as `Licensed` for that program. ## Activate large numbers of devices that don't have internet access - + For more information on how to do manual activation of large numbers of devices, review the Volume Activation Management Tool (VAMT) [Proxy Activation](/windows/deployment/volume-activation/proxy-activation-vamt) scenario. You should install the latest [Automated Deployment Kit (ADK) tool](/windows-hardware/get-started/adk-install) to ensure that the VAMT tool includes updated PkeyConfig files for Windows 10 ESU MAK keys. -For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits). +For more information on adding additional activations to a Windows 10 ESU MAK, see [Request an increase to MAK activation limits](/microsoft-365/commerce/licenses/product-keys-for-vl#request-an-increase-to-mak-activation-limits). ## Related content diff --git a/windows/whats-new/extended-security-updates.md b/windows/whats-new/extended-security-updates.md index 8bacc05a7c..46e5be5e94 100644 --- a/windows/whats-new/extended-security-updates.md +++ b/windows/whats-new/extended-security-updates.md @@ -1,11 +1,11 @@ --- -title: Extended Security Updates (ESU) program for Windows 10 +title: Extended Security Updates (ESU) program for Windows 10 description: Learn about the Extended Security Updates (ESU) program for Windows 10. The ESU program gives customers the option to receive security updates for Windows 10. ms.service: windows-client ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.topic: article ms.date: 05/21/2025 @@ -42,13 +42,13 @@ ESUs doesn't include the following items: ## Frequently asked questions -The following are frequently asked questions about the ESU program for Windows 10: +The following are frequently asked questions about the ESU program for Windows 10: ### How much does ESU cost? Extended Security Updates for organizations and businesses on Windows 10 can be purchased today through the Microsoft Volume Licensing Program, at $61 USD per device for Year One. For more information, see [When to use Windows 10 Extended Security Updates](https://techcommunity.microsoft.com/blog/windows-itpro-blog/when-to-use-windows-10-extended-security-updates/4102628). The price doubles every consecutive year, for a maximum of three years. ESU is available at no additional cost for Windows 10 virtual machines in the following services: -- [Windows 365](/windows-365/overview) +- [Windows 365](/windows-365/overview) - [Azure Virtual Desktop](/azure/virtual-desktop/overview) - [Azure virtual machines](/azure/virtual-machines/overview) - [Azure Dedicated Host](/azure/virtual-machines/dedicated-hosts) @@ -60,7 +60,7 @@ Extended Security Updates for organizations and businesses on Windows 10 can be Additionally, Windows 10 endpoints connecting to Windows 365 Cloud PCs will be entitled to the ESU for up to three years, with an active Windows 365 subscription license. For more information about Windows 365, see [What is Windows 365?](/windows-365/overview). -For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year. +For individuals or Windows 10 Home customers, Extended Security Updates for Windows 10 will be available for purchase at $30 for one year. ### Is there a minimum license purchase requirement for Windows 10 ESU? @@ -82,7 +82,7 @@ Enrolled PCs belonging to a commercial or educational organization can receive s ### Is technical support included in ESU? -No, technical support isn't included in the ESU program. Microsoft will provide support for customers that encounter challenges related to the ESU. +No, technical support isn't included in the ESU program. Microsoft will provide support for customers that encounter challenges related to the ESU. ### Will Windows 10 PCs stop working without the ESU offering? diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md index 578a92fb51..f16809dce1 100644 --- a/windows/whats-new/feature-lifecycle.md +++ b/windows/whats-new/feature-lifecycle.md @@ -4,7 +4,7 @@ description: Learn about the lifecycle of Windows features, as well as features ms.service: windows-client ms.localizationpriority: medium author: mestew -manager: aaroncz +manager: bpardi ms.author: mstewart ms.topic: reference ms.subservice: itpro-fundamentals diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 9d6a27a7f2..c7a53d0afb 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -12,9 +12,9 @@ metadata: ms.collection: - highpri - tier1 - author: aczechowski - ms.author: aaroncz - manager: aaroncz + author: mestew + ms.author: mstewart + manager: bpardi ms.date: 07/01/2024 ms.localizationpriority: medium @@ -42,7 +42,7 @@ landingContent: - linkListType: whats-new links: - text: What's new in Windows 11, version 24H2 - url: whats-new-windows-11-version-24h2.md + url: whats-new-windows-11-version-24h2.md - text: What's new in Windows 11, version 23H2 url: whats-new-windows-11-version-23h2.md - text: What's new in Windows 11, version 22H2 @@ -64,7 +64,7 @@ landingContent: - text: Windows Enterprise LTSC overview url: ltsc/overview.md - text: What's new in Windows 11 Enterprise LTSC 2024 - url: ltsc/whats-new-windows-11-2024.md + url: ltsc/whats-new-windows-11-2024.md - text: What's new in Windows 10 Enterprise LTSC 2021 url: ltsc/whats-new-windows-10-2021.md - text: What's new in Windows 10 Enterprise LTSC 2019 @@ -73,7 +73,7 @@ landingContent: url: ltsc/whats-new-windows-10-2016.md - text: What's new in Windows 10 Enterprise LTSC 2015 url: ltsc/whats-new-windows-10-2015.md - + - title: Deprecated features linkLists: diff --git a/windows/whats-new/ltsc/overview.md b/windows/whats-new/ltsc/overview.md index 1ac5c31aeb..1744490bdb 100644 --- a/windows/whats-new/ltsc/overview.md +++ b/windows/whats-new/ltsc/overview.md @@ -4,7 +4,7 @@ description: An overview of the Windows long-term servicing channel (LTSC). ms.service: windows-client author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: low ms.topic: overview ms.subservice: itpro-fundamentals diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 2df8a9ec8d..929fd93dc6 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 Enterprise LTSC 2015 -manager: aaroncz +manager: bpardi ms.author: mstewart description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). ms.service: windows-client @@ -248,7 +248,7 @@ Enterprises have the following identity and management choices. > [!NOTE] > With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/). - + ### Device lockdown @@ -270,7 +270,7 @@ A standard Start layout can be useful on devices that are common to multiple use Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). -## Updates +## Updates Windows Update client policies enable information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft's Windows Update service. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 9c94a7e808..ea6f5b3131 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 Enterprise LTSC 2016 -manager: aaroncz +manager: bpardi ms.author: mstewart description: New and updated IT pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). ms.service: windows-client diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 9b46e095f9..ec4ade72b3 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 Enterprise LTSC 2019 -manager: aaroncz +manager: bpardi ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). ms.service: windows-client diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index f8a15b202a..7f9bb0de42 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 Enterprise LTSC 2021 -manager: aaroncz +manager: bpardi ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. ms.service: windows-client @@ -22,9 +22,9 @@ This article lists new and updated features and content that is of interest to I > > The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the general availability channel release of Windows 10 might be limited. -Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. +Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. -The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. +The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. ## Lifecycle @@ -41,7 +41,7 @@ For more information about the lifecycle for this release, see [The next Windows In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. -With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon. @@ -49,7 +49,7 @@ There are already devices in the market today that offer SMM Firmware Protection ### System security -[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. +[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. ### Encryption and data protection @@ -59,13 +59,13 @@ BitLocker and Mobile Device Management (MDM) with Microsoft Entra ID work togeth #### Windows Defender Firewall -Windows Defender Firewall now offers the following benefits: +Windows Defender Firewall now offers the following benefits: -**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. +**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. -**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. +**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. -**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). +**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. @@ -107,7 +107,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard's browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. - To try this extension: + To try this extension: 1. Configure Application Guard policies on your device. 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. 3. Follow any of the other configuration steps on the extension setup page. @@ -186,11 +186,11 @@ This release also includes two new features called key-rolling and key-rotation ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Reserved storage -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. ### Windows Assessment and Deployment Toolkit (ADK) diff --git a/windows/whats-new/ltsc/whats-new-windows-11-2024.md b/windows/whats-new/ltsc/whats-new-windows-11-2024.md index 2e098597d2..115347b607 100644 --- a/windows/whats-new/ltsc/whats-new-windows-11-2024.md +++ b/windows/whats-new/ltsc/whats-new-windows-11-2024.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 11 Enterprise long-term servicing channel (LTSC) 2024 -manager: aaroncz +manager: bpardi ms.author: mstewart description: New and updated IT Pro content about new features in Windows 11 Enterprise long-term servicing channel (LTSC) 2024. ms.service: windows-client diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index 9207100001..f4c5e2cc7d 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -5,10 +5,10 @@ ms.service: windows-client ms.localizationpriority: medium author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.topic: reference -ms.subservice: itpro-fundamentals -ms.date: 03/11/2025 +ms.subservice: itpro-fundamentals +ms.date: 05/23/2025 ms.collection: - highpri - tier1 @@ -19,7 +19,7 @@ appliesto: # Features and functionality removed in Windows client -Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client. +Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client. For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md). @@ -39,7 +39,9 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | | Location History | We are removing the Location History feature, an [API](/uwp/api/windows.devices.geolocation.geolocator.getgeopositionhistoryasync) that allowed Cortana to access 24 hours of device history when location was enabled. With the removal of the Location History feature, location data will no longer be saved locally and the corresponding settings will also be removed from the **Privacy & Security** > **Location** page in **Settings**. This feature is being gradually removed from devices using a controlled feature rollout (CFR). | March 25, 2025 | -| Data Encryption Standard (DES) | DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and [Windows Server 2025](/windows-server/get-started/removed-deprecated-features-windows-server-2025) and later.| September 2025 | +| Paint 3D | Paint 3D was deprecated in August 2024 and was removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). | November 4, 2024 | +| Windows Mixed Reality | As announced in December of 2023, Mixed Reality was removed in Windows 11, version 24H2. This deprecation includes the Mixed Reality Portal app, Windows Mixed Reality for SteamVR, and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates. | 24H2 | +| Data Encryption Standard (DES) | DES, the symmetric-key block encryption cipher, is considered nonsecure against modern cryptographic attacks, and replaced by more robust encryption algorithms. DES was disabled by default starting with Windows 7 and Windows Server 2008 R2. It's removed from Windows 11, version 24H2 and later, and [Windows Server 2025](/windows-server/get-started/removed-deprecated-features-windows-server-2025) and later.| September 2025 | | NTLMv1 | NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. | 24H2 | | Windows Information Protection | Windows Information Protection is removed starting in Windows 11, version 24H2. | 24H2 | | Microsoft Defender Application Guard for Edge | [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2. | 24H2 | @@ -57,10 +59,11 @@ The following features and functionalities have been removed from the installed | Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for noncellular devices.| 2004 | | PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was shut down in Windows 10, version 1809. We're planning to complete the removal process by removing the corresponding APIs.

    **[Update - February 2024]**: The corresponding Windows APIs will be removed in Windows 11, version 24H2. DNS-SD and mDNS are recommended alternatives for implementing service discovery scenarios. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | +| Print 3D | Print 3D is no longer supported or available for download from the Microsoft Store. | 1903 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you'll only be able to access messages from the device that received the message. | 1903 | |Business Scanning also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 | |[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting lets you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it will be ignored.| 1809 | -|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 | +|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). | 1809 | |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 | |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 | |Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, download any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | @@ -70,7 +73,7 @@ The following features and functionalities have been removed from the installed |HomeGroup|We're removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

    When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

    Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
    - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
    - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 | |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

    However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you can [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 | -|3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 | +|3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.

    **[Update - May 2025]** As of July 2024, 3D Builder is no longer supported and it was removed from the Microsoft Store. For ongoing 3D printing needs, contact your 3D printer provider for their recommendation. | 1709 | |Apndatabase.xml | For more information about the replacement database, see the following Hardware Dev Center articles:
    [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
    [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | 1709 | |Enhanced Mitigation Experience Toolkit (EMET) |Use of this feature will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/) as a replacement. | 1709 | |Outlook Express | This legacy application will be removed due to lack of functionality. | 1709 | diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index e52f21b5da..cdd96b553f 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.topic: reference ms.date: 04/25/2025 @@ -55,7 +55,7 @@ The following features are behind temporary enterprise control in Windows 11: | Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes | |---|---|---|---| -| Improved Windows search |[April 25, 2025 - KB5055627](https://support.microsoft.com/kb/5055627) | | Improved Windows search will continue to respect your existing [search policies](/windows/client-management/mdm/policy-csp-search). | +| Improved Windows search |[April 25, 2025 - KB5055627](https://support.microsoft.com/kb/5055627) | | Improved Windows search will continue to respect your existing [search policies](/windows/client-management/mdm/policy-csp-search). | | Click to Do | [April 25, 2025 - KB5055627](https://support.microsoft.com/kb/5055627)| | This feature also has a permanent control. For more information, see [Manage Click to Do](/windows/client-management/manage-click-to-do). | | Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | | | Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | | diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md index cf7858f2c8..7b315f41e3 100644 --- a/windows/whats-new/whats-new-windows-10-version-22H2.md +++ b/windows/whats-new/whats-new-windows-10-version-22H2.md @@ -5,7 +5,7 @@ ms.service: windows-client ms.subservice: itpro-fundamentals ms.author: mstewart author: mestew -manager: aaroncz +manager: bpardi ms.localizationpriority: medium ms.topic: reference ms.date: 07/09/2024 diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index 644ef67639..d2101e39a0 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -1,7 +1,7 @@ --- title: What's new in Windows 11, version 22H2 for IT pros description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: aaroncz +manager: bpardi ms.service: windows-client ms.author: mstewart author: mestew diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md index a2bed8fed2..2ce7bcd987 100644 --- a/windows/whats-new/whats-new-windows-11-version-23h2.md +++ b/windows/whats-new/whats-new-windows-11-version-23h2.md @@ -1,7 +1,7 @@ --- title: What's new in Windows 11, version 23H2 for IT pros description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: aaroncz +manager: bpardi ms.service: windows-client ms.author: mstewart author: mestew @@ -38,14 +38,14 @@ To learn more about the status of the update rollout, known issues, and new info When a managed Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer be under temporary enterprise feature control: -| Feature | KB article where the feature was introduced | +| Feature | KB article where the feature was introduced | |---|---| -| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | -| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | +| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | +| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | | Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | | Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | | [Dev Home](/windows/dev-home/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | -| [Dev Drive](/windows/dev-drive/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | +| [Dev Drive](/windows/dev-drive/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | ## Features added to Windows 11 since version 22H2 @@ -66,7 +66,7 @@ When the policy is enabled, certain Windows authentication scenarios don't offer You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in). ### Declared configuration protocol - + **Declared configuration protocol** is a new protocol for device configuration management that's based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see [What is the declared configuration protocol](/windows/client-management/declared-configuration). ### Education themes @@ -113,11 +113,11 @@ Dev Drive is a new form of storage volume available to improve performance for k ### Additional features -- **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions. +- **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions. - **Taskbar overflow menu**: The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot. - **Suggested actions**: Copied text in certain formats, such as phone numbers or dates, offer suggested actions such as calling the number or adding the event to your calendar. - **Task Manager enhancements**: Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager. -- **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices. +- **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices. ### In-box apps diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md index b84b1055b8..ac95ac244a 100644 --- a/windows/whats-new/whats-new-windows-11-version-24h2.md +++ b/windows/whats-new/whats-new-windows-11-version-24h2.md @@ -1,7 +1,7 @@ --- title: What's new in Windows 11, version 24H2 for IT pros description: Learn more about what's new in Windows 11 version 24H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: aaroncz +manager: bpardi ms.service: windows-client ms.author: mstewart author: mestew @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-fundamentals -ms.date: 07/09/2024 +ms.date: 05/23/2025 appliesto: - ✅ Windows 11, version 24H2 --- @@ -242,6 +242,7 @@ The following developer APIs were added or updated: The following [deprecated features](deprecated-features.md) are [removed](removed-features.md) in Windows 11, version 24H2: -- **NTLMv1**: NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. +- **NTLMv1**: NTLMv1 is removed starting in Windows 11, version 24H2 and Windows Server 2025. - **WordPad**: WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. - **Alljoyn**: Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is retired. +- **Windows Mixed Reality**: Mixed Reality is removed starting in Windows 11, version 24H2. \ No newline at end of file diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 88e4b929b7..4d36ebd72a 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,7 +1,7 @@ --- title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, apps, the new desktop, and deploying and servicing PCs. -manager: aaroncz +manager: bpardi author: mestew ms.author: mstewart ms.service: windows-client @@ -34,11 +34,11 @@ This article lists what's new, and some of the features & improvements. For more The security and privacy features in Windows 11 are similar to Windows 10. Security for your devices starts with the hardware, and includes OS security, application security, and user & identity security. There are features available in the Windows OS to help in these areas. This section describes some of these features. For a more comprehensive view, including zero trust, see [Windows security](/windows/security/). - The **Windows Security** app is built into the OS. This app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. - + For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). - **Security baselines** includes security settings that already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. - + For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). - **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. @@ -50,7 +50,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur - [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) - The application security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. - + For more information, see [Windows application security](/windows/security/apps). - **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices. @@ -94,7 +94,7 @@ For more information on the security features you can configure, manage, and enf Users can manage some snap features using the **Settings** app > **System** > **Multitasking**. For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241). - You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu). + You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu). Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch. @@ -168,7 +168,7 @@ For more information on the security features you can configure, manage, and enf If users or groups in your organization do a lot with Windows PowerShell or the command prompt, then use policy to add the Windows Terminal app to the [Start menu layout](/windows/configuration/customize-start-menu-layout-windows-11) or the [Taskbar](/windows/configuration/customize-taskbar-windows-11). - Users can also search for the Terminal app, right-select the app, and pin the app to the Start menu and taskbar. + Users can also search for the Terminal app, right-select the app, and pin the app to the Start menu and taskbar. - The **Microsoft Store** has a new look, and includes more public and retail apps. For more information on the end-user experience, see: diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index de2ec6e9df..ea1aa12887 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -4,7 +4,7 @@ description: This article provides guidance to help you plan for Windows 11 in y ms.service: windows-client author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: high ms.topic: get-started ms.collection: diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 148413934a..0f41ef37b3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -4,7 +4,7 @@ description: Prepare your infrastructure and tools to deploy Windows 11. ms.service: windows-client author: mestew ms.author: mstewart -manager: aaroncz +manager: bpardi ms.localizationpriority: high ms.topic: concept-article ms.collection: diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 909814ca56..549849717d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,7 +1,7 @@ --- title: Windows 11 requirements description: Hardware requirements to deploy Windows 11. -manager: aaroncz +manager: bpardi author: mestew ms.author: mstewart ms.service: windows-client diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index c50c610a28..f6943deb1a 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -4,7 +4,7 @@ description: Learn about products and use rights available through Windows comme ms.subservice: itpro-security author: paolomatarazzo ms.author: paoloma -manager: aaroncz +manager: bpardi ms.collection: - tier2 ms.topic: overview