diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 2794193b88..3e58e829a1 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality. -| Article | Total score
(Required: 80) | Words + phrases
(Brand, terms) | Correctness
(Spelling, grammar) | Clarity
(Readability) | +| Article | Total score
(Required: 80) | Terminology | Spelling and Grammar| Clarity
(Readability) | |---------|:--------------:|:--------------------:|:------:|:---------:| " diff --git a/.github/workflows/BuildValidation.yml b/.github/workflows/BuildValidation.yml new file mode 100644 index 0000000000..e57844b453 --- /dev/null +++ b/.github/workflows/BuildValidation.yml @@ -0,0 +1,21 @@ +name: PR has no warnings or errors + +permissions: + pull-requests: write + statuses: write + +on: + issue_comment: + types: [created] + +jobs: + + build-status: + uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod + with: + PayloadJson: ${{ toJSON(github) }} + secrets: + AccessToken: ${{ secrets.GITHUB_TOKEN }} + + + diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index aca908bb45..9a73ef453c 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Learn how federated sign-in in Windows works and how to configure it. -ms.date: 06/03/2024 +ms.date: 01/27/2025 ms.topic: how-to appliesto: - ✅ Windows 11 diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md index fdb5c9671f..655fdb09e4 100644 --- a/windows/client-management/manage-windows-copilot.md +++ b/windows/client-management/manage-windows-copilot.md @@ -3,7 +3,7 @@ title: Updated Windows and Microsoft 365 Copilot Chat experience description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization. ms.topic: overview ms.subservice: windows-copilot -ms.date: 01/22/2025 +ms.date: 01/28/2025 ms.author: mstewart author: mestew ms.collection: @@ -59,9 +59,9 @@ For users signing in to new PCs with work or school accounts, the following expe The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now. The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience. -The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. +The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. -Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. +Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access. ## Policy information for previous Copilot in Windows (preview) experience @@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t You can remove or uninstall the Copilot app from your device by using one of the following methods: -1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list. +1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list. 1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods: 1. Prevent installation of the Copilot app: diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index f4d06f4ce7..052ed1a825 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -551,6 +551,10 @@ The possible values for 'zz' are: - 1 = Store recovery passwords and key packages - 2 = Store recovery passwords only + +For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. + +For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. @@ -2092,6 +2096,10 @@ The possible values for 'zz' are: - 1 = Store recovery passwords and key packages. - 2 = Store recovery passwords only. + +For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID. + +For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4367d3cb2f..a43aae095f 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,7 +1,7 @@ --- title: HealthAttestation CSP description: Learn more about the HealthAttestation CSP. -ms.date: 01/31/2024 +ms.date: 01/14/2025 --- @@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later
✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later
✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 0c9d382872..5a273aecc4 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,7 +1,7 @@ --- title: HealthAttestation DDF file description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider. -ms.date: 06/28/2024 +ms.date: 01/14/2025 --- @@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H - 99.9.99999 + 99.9.99999, 10.0.26100.2314, 10.0.22621.4541 1.4 diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md index 0e4249d643..a728e43011 100644 --- a/windows/client-management/mdm/policies-in-preview.md +++ b/windows/client-management/mdm/policies-in-preview.md @@ -1,7 +1,7 @@ --- title: Configuration service provider preview policies description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview. -ms.date: 11/27/2024 +ms.date: 01/14/2025 --- @@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview ## Connectivity +- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume) - [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor) - [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage) - [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage) @@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn) - [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords) +## DeviceGuard + +- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation) + ## DevicePreparation CSP - [PageEnabled](devicepreparation-csp.md#pageenabled) @@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview - [AttestErrorMessage](healthattestation-csp.md#attesterrormessage) +## HumanPresence + +- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen) +- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim) +- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification) + ## InternetExplorer - [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields) @@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning) +## Printers + +- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy) + ## Reboot CSP - [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent) diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 5ed3127e3f..a58ea71af2 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,7 +1,7 @@ --- title: Connectivity Policy CSP description: Learn more about the Connectivity Area in Policy CSP. -ms.date: 11/05/2024 +ms.date: 01/14/2025 --- @@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read + +## DisableCrossDeviceResume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume +``` + + + + +This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC. + +- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification. + +- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone. + +- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | CrossDeviceResume is Enabled. | +| 1 | CrossDeviceResume is Disabled. | + + + + + + + + ## DisableDownloadingOfPrintDriversOverHTTP diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index c058b8bccf..6fd24a5ef3 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,7 +1,7 @@ --- title: DeliveryOptimization Policy CSP description: Learn more about the DeliveryOptimization Area in Policy CSP. -ms.date: 08/06/2024 +ms.date: 01/21/2025 --- @@ -34,11 +34,7 @@ ms.date: 08/06/2024 -Specifies the maximum size in GB of Delivery Optimization cache. - -This policy overrides the DOMaxCacheSize policy. - -The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space. +Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy. @@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the -Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not. @@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con | Name | Value | |:--|:--| | Name | AllowVPNPeerCaching | -| Friendly Name | Enable Peer Caching while the device connects via VPN | -| Element Name | Enable Peer Caching while the device connects via VPN. | +| Friendly Name | Enable P2P while the device connects via VPN | +| Element Name | Enable P2P while the device connects via VPN. | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con -This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s). - -One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. @@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or -This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically. - -Options available are: - -0 = Disable DNS-SD. - -1 = DHCP Option 235. +Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically. +1 = DHCP Option 235 2 = DHCP Option 235 Force. - -If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. @@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-4294967295]` | | Default Value | 0 | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | DHCP Option 235. | +| 2 | DHCP Option 235 Force. | + + **Group policy mapping**: @@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a -This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P. - -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. - -Note that a download that's waiting for peer sources, will appear to be stuck for the end user. - -The recommended value is 1 hour (3600). +For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source. @@ -311,7 +300,7 @@ The recommended value is 1 hour (3600). | Name | Value | |:--|:--| | Name | DelayBackgroundDownloadFromHttp | -| Friendly Name | Delay background download from http (in secs) | +| Friendly Name | Delay background download from http (in seconds) | | Element Name | Delay background download from http (in secs) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | @@ -342,7 +331,7 @@ The recommended value is 1 hour (3600). -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source. @@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source. @@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT -This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P. - -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. - -Note that a download that's waiting for peer sources, will appear to be stuck for the end user. - -The recommended value is 1 minute (60). +For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source. @@ -482,7 +465,7 @@ The recommended value is 1 minute (60). | Name | Value | |:--|:--| | Name | DelayForegroundDownloadFromHttp | -| Friendly Name | Delay Foreground download from http (in secs) | +| Friendly Name | Delay Foreground download from http (in seconds) | | Element Name | Delay Foreground download from http (in secs) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | @@ -513,7 +496,7 @@ The recommended value is 1 minute (60). -Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. +Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'. @@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec | Value | Description | |:--|:--| -| 0 (Default) | Allowed. | -| 1 | Not allowed. | +| 0 (Default) | Not Set. | +| 1 | Enabled. | @@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec -Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1. +Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products. @@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of |:--|:--| | 0 (Default) | HTTP only, no peering. | | 1 | HTTP blended with peering behind the same NAT. | -| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. | +| 2 | HTTP blended with peering across a private group. | | 3 | HTTP blended with Internet peering. | -| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. | -| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. | +| 99 | HTTP only, no peering, no use of DO cloud service. | +| 100 | Bypass mode, deprecated in Windows 11. | @@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of -Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to. - -Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. - -Note this is a best effort optimization and shouldn't be relied on for an authentication of identity. +Specifies an arbitrary group ID that the device belongs to. A GUID must be used. @@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen -Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +Specifies the source of group ID used for peer selection. @@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio | Value | Description | |:--|:--| -| 0 (Default) | Unset. | +| 0 (Default) | Not Set. | | 1 | AD site. | | 2 | Authenticated domain SID. | -| 3 | DHCP user option. | -| 4 | DNS suffix. | -| 5 | Microsoft Entra ID. | +| 3 | DHCP Option ID. | +| 4 | DNS Suffix. | +| 5 | Entra ID Tenant ID. | @@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. @@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days). +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. @@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt -Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20. +Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space. @@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. @@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s). +Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads. @@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se -Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). - -The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy. - -The value 0 means "not-limited"; The cloud service set default value will be used. +Specifies the minimum battery level required for uploading to peers, while on battery power. @@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use -Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used. - -Recommended values: 64 GB to 256 GB. - -> [!NOTE] -> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. +Specifies the required minimum total disk size in GB for the device to use P2P. @@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB. | Name | Value | |:--|:--| | Name | MinDiskSizeAllowedToPeer | -| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) | -| Element Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Friendly Name | Minimum disk size allowed to use P2P (in GB) | +| Element Name | Minimum disk size allowed to use P2P (in GB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB. -Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. +Specifies the minimum content file size in MB eligible to use P2P. @@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom | Name | Value | |:--|:--| | Name | MinFileSizeToCache | -| Friendly Name | Minimum Peer Caching Content File Size (in MB) | -| Element Name | Minimum Peer Caching Content File Size (in MB) | +| Friendly Name | Minimum P2P Content File Size (in MB) | +| Element Name | Minimum P2P Content File Size (in MB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom -Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. +Specifies the minimum total RAM size in GB required to use P2P. @@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example, | Name | Value | |:--|:--| | Name | MinRAMAllowedToPeer | -| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | -| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) | +| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) | | Location | Computer Configuration | | Path | Windows Components > Delivery Optimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | @@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example, -Specifies the drive Delivery Optimization shall use for its cache. - -By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path. +Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. @@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be -Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB). +Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. @@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. @@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set. Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. @@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts -Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2). +Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy. @@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer |:--|:--| | 0 (Default) | None. | | 1 | Subnet mask. | -| 2 | Local peer discovery (DNS-SD). | +| 2 | Local discovery (DNS-SD). | @@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details: -This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas. +Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index c27a142696..ba7cfacf34 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,7 +1,7 @@ --- title: DeviceGuard Policy CSP description: Learn more about the DeviceGuard Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 01/14/2025 --- @@ -9,6 +9,8 @@ ms.date: 01/18/2024 # Policy CSP - DeviceGuard +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config + +## MachineIdentityIsolation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation +``` + + + + +Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. | +| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. | +| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Machine Identity Isolation Configuration. | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + ## RequirePlatformSecurityFeatures diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 1cf592ddff..b27018ae74 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,7 +1,7 @@ --- title: HumanPresence Policy CSP description: Learn more about the HumanPresence Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 01/14/2025 --- @@ -9,6 +9,8 @@ ms.date: 09/27/2024 # Policy CSP - HumanPresence +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will + +## ForcePrivacyScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen +``` + + + + +Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreen | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + + +## ForcePrivacyScreenDim + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim +``` + + + + +Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedUnchecked. | +| 1 | ForcedChecked. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreenDim | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + + +## ForcePrivacyScreenNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification +``` + + + + +Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | ForcedUnchecked. | +| 1 | ForcedChecked. | +| 0 (Default) | DefaultToUserChoice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForcePrivacyScreenNotification | +| Path | Sensors > AT > WindowsComponents > HumanPresence | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 098733446d..b852afb0b4 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,7 +1,7 @@ --- title: Printers Policy CSP description: Learn more about the Printers Area in Policy CSP. -ms.date: 09/27/2024 +ms.date: 01/14/2025 --- @@ -11,6 +11,8 @@ ms.date: 09/27/2024 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -348,6 +350,56 @@ The following are the supported values: + +## ConfigureIppTlsCertificatePolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `chr` (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureIppTlsCertificatePolicy | +| ADMX File Name | Printing.admx | + + + + + + + + ## ConfigureRedirectionGuardPolicy diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 58d6463c97..f8ca2e1a8a 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1,7 +1,7 @@ --- title: VPNv2 CSP description: Learn more about the VPNv2 CSP. -ms.date: 01/18/2024 +ms.date: 01/14/2025 --- @@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic. - -True: ByPass VPN Interface for Local Traffic. - -Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. +Not supported. @@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa -False: Don't Bypass for Local traffic. - -True: ByPass VPN Interface for Local Traffic. - -Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. +Not supported. diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index abe39e405a..8927c4cc29 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,7 +1,7 @@ --- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. -ms.date: 06/28/2024 +ms.date: 01/14/2025 --- @@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V - False : Do not Bypass for Local traffic - True : ByPass VPN Interface for Local Traffic - - Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + Not supported. @@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can - False : Do not Bypass for Local traffic - True : ByPass VPN Interface for Local Traffic - - Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + Not supported. diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 711bc21aea..955dee1921 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -48,7 +48,7 @@ items: href: enterprise-app-management.md - name: Manage updates href: device-update-management.md - - name: Updated Windows and Microsoft Copilot experience + - name: Updated Windows and Microsoft 365 Copilot Chat experience href: manage-windows-copilot.md - name: Manage Recall href: manage-recall.md diff --git a/windows/configuration/taskbar/pinned-apps.md b/windows/configuration/taskbar/pinned-apps.md index d2454b1e79..6f93e76b25 100644 --- a/windows/configuration/taskbar/pinned-apps.md +++ b/windows/configuration/taskbar/pinned-apps.md @@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the - **Value:** content of the XML file > [!NOTE] -> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*. +> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \< and \> entity encodings. Single and double quote characters do not need to be escaped. [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)] diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index e816d252d7..db0c863b4a 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -294,6 +294,8 @@ items: href: update/windows-update-logs.md - name: Servicing stack updates href: update/servicing-stack-updates.md + - name: Checkpoint cumulative updates and Microsoft Update Catalog usage + href: update/catalog-checkpoint-cumulative-updates.md - name: Update CSP policies href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context - name: Update other Microsoft products diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md new file mode 100644 index 0000000000..ce4b36fd45 --- /dev/null +++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md @@ -0,0 +1,93 @@ +--- +title: Checkpoint cumulative updates and the Microsoft Update Catalog +description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images. +ms.service: windows-client +ms.subservice: itpro-updates +ms.topic: conceptual +ms.author: mstewart +author: mestew +manager: aaroncz +ms.collection: + - tier2 +ms.localizationpriority: medium +appliesto: + - ✅ Windows 11, version 24H2 and later + - ✅ Windows Server 2025 and later +ms.date: 01/31/2025 +--- + +# Checkpoint cumulative updates and Microsoft Update Catalog usage + +Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates. + +## Checkpoint cumulative updates + +Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries. + +With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space. + +Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device. + +If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates. + +### Applicability + +A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive. + +### Update Windows installation media + +This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim). + +WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md). + + +## Updating from the Microsoft Update Catalog + +When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM). + +### Finding prior checkpoint cumulative updates + +For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog): + + > Install each MSU file individually, in order

Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:

  • windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
  • windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+ +Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080). + +### Updating through checkpoint cumulative updates + +**Device has the latest checkpoint cumulative update and doesn't need customization:** + +Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options). + +Examples of eligible devices: + +| Device is on | Needs to install| +|---|---| +|
  • The checkpoint cumulative update, 2024-09 (KB5043080)
|
  • A subsequent monthly security update like 2024-11 (KB5046617), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| +|
  • A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
  • A subsequent monthly security update like 2024-10 (KB5044284)
|
  • A subsequent monthly security update like 2025-01 (KB5050009), or
  • A subsequent optional nonsecurity release like 2024-11 (KB5046740)
| + +**Device needs FoD or language pack customization:** + +Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM. + +1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present. +1. Mount the install.wim file. +1. Run `DISM /add-package` with the latest `.msu` file as the sole target. +1. Run `/Cleanup-Image /StartComponentCleanup`. +1. Unmount. +1. Run `DISM /export-image` to optimize the image size, if that's important to you. + +**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:** + +Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go. + +## Related articles + +- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates) +- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) +- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog) +- [Update Windows installation media with Dynamic Update](media-dynamic-update.md) diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md new file mode 100644 index 0000000000..dd9b0e1abd --- /dev/null +++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md @@ -0,0 +1,17 @@ +--- +author: mestew +ms.author: mstewart +manager: aaroncz +ms.subservice: itpro-updates +ms.service: windows-client +ms.topic: include +ms.date: 01/31/2025 +ms.localizationpriority: medium +--- + + +Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of: +- The update package files associated with the checkpoints, and +- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint. + +Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference. diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md index 2df0fe24ef..ef01bc96d7 100644 --- a/windows/deployment/update/release-cycle.md +++ b/windows/deployment/update/release-cycle.md @@ -1,6 +1,6 @@ --- title: Update release cycle for Windows clients -description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. +description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected. ms.service: windows-client ms.subservice: itpro-updates ms.topic: conceptual @@ -11,7 +11,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 06/04/2024 +ms.date: 01/31/2025 --- # Update release cycle for Windows clients @@ -54,6 +54,9 @@ Monthly security update releases are available through the following channels: Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment. + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] + ## Optional nonsecurity preview release **Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows. @@ -66,10 +69,14 @@ Many update management tools, such as [Microsoft Configuration Manager](/mem/con - LCU preview To access the optional nonsecurity preview release: -- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. +- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**. - Use [Windows Insider Program for Business](https://insider.windows.com/for-business) - Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] + + ## OOB releases **Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need. @@ -83,6 +90,9 @@ Some key considerations about OOB releases include: - Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases. - Some OOB releases are classified as noncritical. - Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update. + + +[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)] ## Continuous innovation for Windows 11 diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 5da693649e..78f9f1690b 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -51,13 +51,13 @@ A `setupact.log` or `setuperr.log` entry includes the following elements: 1. **The date and time** - 2023-09-08 09:20:05 -1. **The log level** - Info, Warning, Error, Fatal Error +2. **The log level** - Info, Warning, Error, Fatal Error -1. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS +3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors. -1. **The message** - Operation completed successfully. +4. **The message** - Operation completed successfully. See the following example: diff --git a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md index da72341ab0..444ff9cf37 100644 --- a/windows/deployment/upgrade/resolve-windows-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-upgrade-errors.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.topic: conceptual ms.service: windows-client ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 00ae1403ff..c66b48114b 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -12,7 +12,7 @@ ms.topic: troubleshooting ms.collection: - highpri - tier2 -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -479,7 +479,7 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" "FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel", "DeviceDriverInfo":null, "Remediation":[ - + ], "SetupPhaseInfo":null, "SetupOperationInfo":null diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 48726194a2..5caad8feef 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -8,7 +8,7 @@ author: frankroj ms.localizationpriority: medium ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index c7251d75b2..34c5e47773 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -8,7 +8,7 @@ author: frankroj ms.localizationpriority: medium ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/18/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -18,7 +18,7 @@ appliesto: > [!NOTE] > -> This article is a 300 level article (moderately advanced). +> This article is a 300 level article (moderately advanced). > > See [Resolve Windows upgrade errors](resolve-windows-upgrade-errors.md) for a full list of articles in this section. diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index 1033866907..4d1dcd205e 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 02/13/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 10 - ✅ Windows 11 diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index 9e1d97ccac..3a2a091e06 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 08/30/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index d189141607..563fffa13b 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 08/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index f0fdf74531..e69fa2a0eb 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 8e72361a5d..631c7b6aa6 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -50,7 +50,7 @@ For exceptions to what can be migrated offline, see [What Does USMT Migrate?](us ## What offline environments are supported? -All currently supported +All currently supported The following table defines the supported combination of online and offline operating systems in USMT. @@ -183,9 +183,9 @@ The following XML example illustrates some of the elements discussed earlier in ```xml - C:\Windows - D:\Windows - E:\ + C:\Windows + D:\Windows + E:\ 1 diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 3adb68387b..2994c4a929 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 4ebf6ff55f..fe77583153 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 1847cce5d9..e8a0d69a2f 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 4844937b52..71da51bdda 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index 1685667185..d618b669c3 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index c0e4682965..f77777e41f 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -496,7 +496,7 @@ The following sample `Config.xml` file contains detailed examples about items th - + --> diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index f9874a4d2f..c2a0454e4b 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -79,7 +79,7 @@ Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the c %CSIDL_PERSONAL%\* [*.doc] - + ``` ### How does USMT process each component in an .xml file with multiple components? @@ -116,7 +116,7 @@ In the following example, mp3 files aren't excluded from the migration. The mp3 C:\* [*.mp3] - + ``` ### \ and \ rules precedence examples @@ -185,11 +185,11 @@ The destination computer contains the following files: A custom **.xml** file contains the following code: ```xml - - - c:\data\* [*] - - + + + c:\data\* [*] + + ``` For this example, the following information describes the resulting behavior if the code is added to the custom **.xml** file. diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index 130f3031c8..c398822c63 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -120,7 +120,7 @@ The following sample is a custom **.xml** file named `CustomFile.xml` that migra My Video - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%") @@ -251,8 +251,8 @@ The behavior for this custom **.xml** file is described within the ` - - + + @@ -264,7 +264,7 @@ The behavior for this custom **.xml** file is described within the ` - + C:\*\Presentations\* [*] C:\Presentations\* [*] diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 8eefa733d4..00a902de28 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index bad57314e9..098c1a8a45 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 014e48a76e..ae5b4e142e 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 354badb01a..72388d511e 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md index 59234776e5..9fefd6f0b4 100644 --- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md +++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index 666888f9d3..fb9a10a99e 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -11,12 +11,12 @@ metadata: ms.mktglfcycl: deploy ms.sitesec: library audience: itpro - ms.date: 01/09/2024 + ms.date: 01/29/2025 ms.topic: faq title: Frequently Asked Questions summary: | **Applies to:** - + - Windows 11 - Windows 10 @@ -30,13 +30,13 @@ sections: How much space is needed on the destination computer? answer: | The destination computer needs enough available space for the following items: - + - Operating system - + - Applications - + - Uncompressed store - + - question: | Can the files and settings be stored directly on the destination computer or is a server needed? answer: | @@ -47,13 +47,13 @@ sections: - Directly on the destination computer. To store it directly on the destination computer: - + 1. Create and share the directory `C:\store` on the destination computer. - + 1. Run the **ScanState** tool on the source computer and save the files and settings to `\\\store` - + 1. Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location. - + - question: | Can data be migrated between operating systems with different languages? answer: | @@ -80,7 +80,7 @@ sections: How can a folder or a certain type of file be excluded from the migration? answer: | The **\** element can be used to globally exclude data from the migration. For example, this element can be used to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **\** rules that are in the **.xml** files. For an example, see **\** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md). - + - question: | What happens to files that were located on a drive that don't exist on the destination computer? answer: | @@ -91,22 +91,22 @@ sections: - C:\\ is the system drive on the destination computer. the file is migrated to `C:\data\File.pst`. This behavior holds true even when **\** rules attempt to move data to a drive that doesn't exist on the destination computer. - + - name: USMT .xml Files questions: - question: | Where are there examples of USMT **.xml** files? answer: | The following articles include examples of USMT **.xml** files: - + - [Exclude files and settings](usmt-exclude-files-and-settings.md) - + - [Reroute files and settings](usmt-reroute-files-and-settings.md) - + - [Include files and settings](usmt-include-files-and-settings.md) - + - [Custom XML examples](usmt-custom-xml-examples.md) - + - question: | Can custom **.xml** files that were written for USMT 5.0 be used? answer: | @@ -121,9 +121,9 @@ sections: Why must the **.xml** files be included with both the `ScanState.exe` and `LoadState.exe` commands? answer: | The **.xml** files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the **.xml** files to control the migration, the same set of **.xml** files must be specified for the `ScanState.exe` and `LoadState.exe` commands. If a particular set of mig\*.xml files were used in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then the same option should be used to call the exact same mig\*.xml files in the **LoadState** tool. However, the `Config.xml` file doesn't need to be specified, unless files and settings that were migrated to the store need to be excluded. For example, the **Documents** folder might be migrated to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** migrates only the desired files and settings. - + If an **.xml** file is excluded from the `LoadState.exe` command, then all of the data in the store that was migrated with the missing **.xml** files are migrated. However, the migration rules that were specified for the `ScanState.exe` command don't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`. - + - question: | Which files can be modified and specified on the command line? answer: | @@ -133,20 +133,20 @@ sections: What happens if the **.xml** files aren't specified on the command line? answer: | - **ScanState** - + If no files are specified with the `ScanState.exe` command, all user accounts and default operating system components are migrated. - + - **LoadState** - + If no files are specified with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in **.xml** files with the `ScanState.exe` command doesn't apply. For example, if a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")` is excluded, USMT doesn't reroute the files. Instead, it migrates them to `C:\data`. - + - name: Conflicts and Precedence questions: - question: | What happens when there are conflicting XML rules or conflicting objects on the destination computer? answer: | For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md). - + additionalContent: | diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 38b66a02b6..950371b73e 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -73,21 +73,21 @@ The XML helper functions in the [XML elements library](usmt-xml-elements-library The encoded location is composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves. For example, specify the file - + `C:\Windows\Notepad.exe` - + as - + **c:\\Windows\[Notepad.exe\]** - + Similarly, specify the directory - + `C:\Windows\System32` - + as - + **c:\\Windows\\System32** - + Note the absence of the **\[\]** characters in second example. The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index d2cae89bc7..7c21f7e783 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 591b1d3804..0da69dfec4 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -8,7 +8,7 @@ ms.service: windows-client author: frankroj ms.topic: conceptual ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -33,7 +33,7 @@ When the **ScanState** tool runs on the source computer, it goes through the fol There are three types of components: - Components that migrate the operating system settings. - + - Components that migrate application settings. - Components that migrate users' files. diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md index c3589124d1..72231c5f35 100644 --- a/windows/deployment/usmt/usmt-how-to.md +++ b/windows/deployment/usmt/usmt-how-to.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md index feca874008..41d2a4f881 100644 --- a/windows/deployment/usmt/usmt-identify-application-settings.md +++ b/windows/deployment/usmt/usmt-identify-application-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md index e5b15c352d..e46ff9f218 100644 --- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md +++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index cedbe8d1f9..941df2cced 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index 736881d3b3..314590b2b7 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -9,7 +9,7 @@ author: frankroj ms.topic: conceptual ms.localizationpriority: medium ms.subservice: itpro-deploy -ms.date: 01/09/2024 +ms.date: 01/29/2025 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index f4d79a27f2..6ff87626e6 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -25,12 +25,12 @@ The following **.xml** file migrates a single registry key. ```xml - Component to migrate only registry value string + Component to migrate only registry value string - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] + HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] @@ -95,8 +95,8 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin - - + + @@ -114,7 +114,7 @@ The following **.xml** file migrates all files and subfolders of the `Engineerin - + C:\*\EngineeringDrafts\* [*] C:\EngineeringDrafts\* [*] @@ -149,7 +149,7 @@ The following **.xml** file migrates `.mp3` files located in the specified drive - + ``` ## Migrate a specific file diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index a4bf1f2eeb..30667f7873 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 70f159b544..27e897b01d 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index 39944f9a6a..8d146557a2 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 41f319446d..2e82b3db4e 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index b5dc3eb5fe..2084dbdd22 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index f0023bfc0b..0e8726cf9a 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -7,7 +7,7 @@ author: frankroj ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: overview ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index 20bbc09ad5..6fbc90a488 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md index 0d2153bbaa..74170fceed 100644 --- a/windows/deployment/usmt/usmt-recognized-environment-variables.md +++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md @@ -7,7 +7,7 @@ ms.reviewer: kevinmi,warrenw manager: aaroncz ms.author: frankroj author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.collection: - highpri diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 9581170803..adeaf3c10e 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 26b5f86f7a..438b71d40b 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index f002c6d337..e7a5305f00 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -70,7 +70,7 @@ The following custom **.xml** file reroutes **.mp3** files located in the fixed - + ``` ## Reroute a specific file @@ -83,8 +83,8 @@ The following custom **.xml** file migrates the `Sample.doc` file from `C:\Engin Sample.doc into the Documents folder - - + + C:\EngineeringDrafts\ [Sample.doc] diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md index 239d7be582..6e81c92b9a 100644 --- a/windows/deployment/usmt/usmt-resources.md +++ b/windows/deployment/usmt/usmt-resources.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -23,7 +23,7 @@ appliesto: - Microsoft Visual Studio - The User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) can be used to validate the migration **.xml** files using an XML authoring tool such as Microsoft Visual Studio. - + For more information about how to use the schema with an XML authoring environment, see the environment's documentation. - [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS). diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 24f73b72d1..a25a4bde8e 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 04/30/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 1254f4fef0..d269cd7597 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 57767aecf4..4b1d005a41 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md index e3be3d8fd0..56ee8a1868 100644 --- a/windows/deployment/usmt/usmt-topics.md +++ b/windows/deployment/usmt/usmt-topics.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 3e85b84a37..3ca79322a4 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index 20c70db094..bef1f41088 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index e03e8db9c0..56cee12f98 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/18/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index a4694c75a9..fc41899980 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: @@ -95,7 +95,7 @@ The following example is from the `MigApp.xml` file: %HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang] DWORD 00000000 - + ``` ## \ @@ -127,7 +127,7 @@ The following example is from the `MigApp.xml` file: %HklmWowSoftware%\Microsoft\Office\16.0\Common\Migration\Office [Lang] DWORD 00000000 - + ``` ## \ @@ -1070,10 +1070,10 @@ Example: - DOC @@ -1126,18 +1126,18 @@ Syntax: For example, to migrate all \*.doc files from the source computer, specifying the following code under the **\** element: ```xml - - doc - + + doc + ``` is the same as specifying the following code below the **\** element: ```xml - - - - + + + + ``` @@ -1202,7 +1202,7 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYVIDEO% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%") @@ -1702,11 +1702,11 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYMUSIC% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%") - + @@ -1846,11 +1846,11 @@ The following example is from the `MigUser.xml` file. For more examples, see the %CSIDL_STARTMENU% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_STARTMENU%") - + @@ -1901,11 +1901,11 @@ The following example is from the `MigUser.xml` file: %CSIDL_MYMUSIC% - + MigXmlHelper.DoesObjectExist("File","%CSIDL_MYMUSIC%") - + @@ -1969,7 +1969,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use **\** as follows. If multiple files exist with the same name, all such files get migrated. ```xml - + ``` For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md). @@ -2171,7 +2171,7 @@ For example: ```xml - %CSIDL_COMMON_APPDATA%\QuickTime + %CSIDL_COMMON_APPDATA%\QuickTime ``` @@ -2204,7 +2204,7 @@ The following **.xml** file excludes all `.mp3` files from migration. For additi - + diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index 3b1f32fc27..21d2195393 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md index 818a24659e..f611d55175 100644 --- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md +++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 7d1969ad11..8b1d97b433 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -6,7 +6,7 @@ manager: aaroncz ms.author: frankroj ms.service: windows-client author: frankroj -ms.date: 01/09/2024 +ms.date: 01/29/2025 ms.topic: conceptual ms.subservice: itpro-deploy appliesto: diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 026f05bd13..d92f402704 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -40,9 +40,9 @@ VBS must be turned on for a device to be offered Hotpatch updates. For informati ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) -This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, set the following registry key: -Path: `**HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management**` -Key value: `**HotPatchRestrictions=1**` +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key: +Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management` +DWORD key value: HotPatchRestrictions=1 > [!IMPORTANT] > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. diff --git a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md index 23d40c8440..f2ebb636f5 100644 --- a/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md +++ b/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol.md @@ -49,7 +49,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - texttransform.exe - visualuiaverifynative.exe - system.management.automation.dll -- webclnt.dll/davsvc.dll +- webclnt.dll/davsvc.dll3 - wfc.exe - windbg.exe - wmic.exe @@ -62,6 +62,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you 2 If you're using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. Otherwise, we recommend that you block msbuild.exe. +3 If you block WebDAV DLLs, we recommend that you also disable the **WebClient** service using a group policy or MDM policies. + * Microsoft recognizes the efforts of people in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/docfx.json b/windows/security/docfx.json index e0cd0064c8..eebfabaaa0 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -142,9 +142,10 @@ "✅ Windows Server 2019", "✅ Windows Server 2016" ], - "application-security/application-control/windows-defender-application-control/**/*.md": [ + "application-security/application-control/app-control-for-business/**/*.md": [ "✅ Windows 11", "✅ Windows 10", + "✅ Windows Server 2025", "✅ Windows Server 2022", "✅ Windows Server 2019", "✅ Windows Server 2016" diff --git a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md index bc28fecee5..305932af9b 100644 --- a/windows/security/identity-protection/hello-for-business/rdp-sign-in.md +++ b/windows/security/identity-protection/hello-for-business/rdp-sign-in.md @@ -1,7 +1,7 @@ --- title: Remote Desktop sign-in with Windows Hello for Business description: Learn how to configure Remote Desktop (RDP) sign-in with Windows Hello for Business. -ms.date: 06/11/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md index 9bc006a4e0..3d3f9622e0 100644 --- a/windows/security/identity-protection/passwordless-strategy/journey-step-3.md +++ b/windows/security/identity-protection/passwordless-strategy/journey-step-3.md @@ -2,7 +2,7 @@ title: Transition into a passwordless deployment description: Learn about how to transition into a passwordless deployment, the third step of the Microsoft passwordless journey. ms.topic: concept-article -ms.date: 10/29/2024 +ms.date: 01/30/2025 --- # Transition into a passwordless deployment @@ -123,7 +123,7 @@ function Generate-RandomPassword{ $NewPassword = ConvertTo-SecureString -String (Generate-RandomPassword) -AsPlainText -Force -Set-ADAccountPassword -identity $userId -NewPassword $NewPassword -Reset +Set-ADAccountPassword -identity $samAccountName -NewPassword $NewPassword -Reset ``` If your organizational policies allow it, you can configure the randomized passwords to never expire, or use a long expiration period. This configuration prevents the user from being prompted to change their password. diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md index 05f61ccf78..75939e36c9 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported. More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). -### Where can I get an older version of a Windows baseline? - -Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT. - -- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10)) -- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx) -- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx) -- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx) - -### What file formats are supported by the new SCT? +### What file formats are supported by the SCT? The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported. @@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t | Name | Build | Baseline Release Date | Security Tools | |--|--|--|--| +| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | -| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | ### Microsoft products | Name | Details | Security Tools | |--|--|--| -| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | | Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | ## Related articles diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md index ced5288d21..3556919a26 100644 --- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of: - Windows 10 security baselines - Windows 10, version 22H2 - Windows 10, version 21H2 - - Windows 10, version 20H2 - Windows 10, version 1809 - Windows 10, version 1607 - Windows 10, version 1507 - Windows Server security baselines + - Windows Server 2025 - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 - - Windows Server 2012 R2 - Microsoft Office security baseline - - Office 2016 - - Microsoft 365 Apps for Enterprise Version 2206 + - Microsoft 365 Apps for Enterprise Version 2412 - Microsoft Edge security baseline - Microsoft Edge version 128 - Tools diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index c2a7ae57a8..2fc0efca6e 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,7 +1,7 @@ --- title: How to configure cryptographic settings for IKEv2 VPN connections description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index daf7f89f5d..9a4865a98c 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,7 +1,7 @@ --- title: How to use single sign-on (SSO) over VPN and Wi-Fi connections description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md index 539eeaeda6..26a2c22a06 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md @@ -1,7 +1,7 @@ --- title: VPN authentication options description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -80,14 +80,3 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil :::image type="content" source="images/vpn-eap-xml.png" alt-text="Screenshot showing EAP XML configuration in Intune profile."::: -## Related topics - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) -- [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md index 85b51dd4d1..53c870afc0 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md @@ -1,7 +1,7 @@ --- title: VPN auto-triggered profile options description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -77,14 +77,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune. :::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png"::: - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md index 8fa4ab6725..9702c4afee 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md @@ -1,7 +1,7 @@ --- title: VPN and conditional access description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -19,7 +19,7 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional) - Microsoft Entra Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by a Microsoft Entra ID-based Certificate Authority (CA). A Microsoft Entra CA is essentially a mini-CA cloud tenant in Azure. The Microsoft Entra CA can't be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). -- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. +- Microsoft Entra ID-issued short-lived certificates - When a VPN connection attempt is made, the Microsoft Entra Token Broker on the local device communicates with Microsoft Entra ID, which then checks for health based on compliance rules. If compliant, Microsoft Entra ID sends back a short-lived certificate that is used to authenticate the VPN. Certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Microsoft Entra ID for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - Antivirus status - Auto-update status and update compliance @@ -35,7 +35,7 @@ The following client-side components are also required: ## VPN device compliance -At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the <SSO> section. +At this time, the Microsoft Entra certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the `` section. Server-side infrastructure requirements to support VPN device compliance include: @@ -60,8 +60,8 @@ Two client-side configuration service providers are leveraged for VPN device com - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification > [!NOTE] -> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This will enable the user to access on-premises resources. -> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). +> It's required that certificates used for obtaining Kerberos tickets to be issued from an on-premises CA, and that SSO to be enabled in the user's VPN profile. This allows the user to access on-premises resources. +> In the case of Microsoft Entra joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from Microsoft Entra in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client doesn't cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero). ## Client connection flow @@ -71,7 +71,7 @@ The VPN client side connection flow works as follows: When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow: -1. The VPN client calls into Windows 10's or Windows 11's Microsoft Entra Token Broker, identifying itself as a VPN client. +1. The VPN client calls into Windows 10 or Windows 11 Microsoft Entra Token Broker, identifying itself as a VPN client. 1. The Microsoft Entra Token Broker authenticates to Microsoft Entra ID and provides it with information about the device trying to connect. The Microsoft Entra Server checks if the device is in compliance with the policies. 1. If compliant, Microsoft Entra ID requests a short-lived certificate. 1. Microsoft Entra ID pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing. @@ -92,14 +92,3 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3) - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4) - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md index 7199978f6c..0c0b47c65c 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md @@ -1,7 +1,7 @@ --- title: VPN connection types description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -46,13 +46,3 @@ In Intune, you can also include custom XML for non-Microsoft plug-in profiles: > [!div class="mx-imgBorder"] > ![Custom XML.](images/vpn-custom-xml-intune.png) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md index 3233517baa..c1c9ac3826 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md @@ -1,7 +1,7 @@ --- title: Windows VPN technical guide description: Learn how to plan and configure Windows devices for your organization's VPN solution. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: overview --- diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md index 666f60d6c1..36074af74a 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md @@ -1,7 +1,7 @@ --- title: VPN name resolution description: Learn how name resolution works when using a VPN connection. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -58,14 +58,3 @@ The fields in **Add or edit DNS rule** in the Intune profile correspond to the X | **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** | | **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** | | **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** | - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md index aced17dd8e..02b7c5daff 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md @@ -2,7 +2,7 @@ title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client ms.topic: how-to -ms.date: 05/06/2024 +ms.date: 01/27/2025 --- # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md index 4fdbb86971..43f5802163 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md @@ -1,7 +1,7 @@ --- title: VPN profile options description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: how-to --- @@ -316,13 +316,3 @@ After you configure the settings that you want using ProfileXML, you can create - [VPNv2 configuration service provider (CSP) reference](/windows/client-management/mdm/vpnv2-csp) - [How to Create VPN Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/dn261200(v=technet.10)) -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md index e5f0bc3f68..6bbae9aa58 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md @@ -1,5 +1,5 @@ --- -ms.date: 05/06/2024 +ms.date: 01/27/2025 title: VPN routing decisions description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.topic: concept-article @@ -43,14 +43,3 @@ When you configure a VPN profile in Microsoft Intune, you can enable split tunne ![split tunnel.](images/vpn-split.png) Once enabled, you can add the routes that should use the VPN connection. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md index 0ca87d7370..2e53eeeae5 100644 --- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md +++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md @@ -1,7 +1,7 @@ --- title: VPN security features description: Learn about security features for VPN, including LockDown VPN and traffic filters. -ms.date: 05/06/2024 +ms.date: 01/27/2025 ms.topic: concept-article --- @@ -55,14 +55,3 @@ A VPN profile configured with LockDown secures the device to only allow network > [!CAUTION] > Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established. - -## Related articles - -- [VPN technical guide](vpn-guide.md) -- [VPN connection types](vpn-connection-type.md) -- [VPN routing decisions](vpn-routing.md) -- [VPN authentication options](vpn-authentication.md) -- [VPN and conditional access](vpn-conditional-access.md) -- [VPN name resolution](vpn-name-resolution.md) -- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md)